Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KlzXRW4Ag7.dll

Overview

General Information

Sample name:KlzXRW4Ag7.dll
renamed because original name is a hash value
Original sample name:cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4.dll
Analysis ID:1557653
MD5:e51727b49e9c42d20db8ecdc7e20e0ae
SHA1:7777702d55eb92fe4f4ce2edbaf1dc2db83ae68b
SHA256:cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
Tags:103-45-64-91dlluser-JAMESWT_MHT
Infos:

Detection

GhostRat, Mimikatz, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5460 cmdline: loaddll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7100 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 1868 cmdline: rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 6540 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 6552 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7128 cmdline: rundll32.exe C:\Users\user\Desktop\KlzXRW4Ag7.dll,Shellex MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 6348 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6392 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz
NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
KlzXRW4Ag7.dllJoeSecurity_GhostRatYara detected GhostRatJoe Security
    KlzXRW4Ag7.dllJoeSecurity_NitolYara detected NitolJoe Security
      KlzXRW4Ag7.dllJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
        KlzXRW4Ag7.dllMimikatz_StringsDetects Mimikatz stringsFlorian Roth
        • 0x11fcf3:$x1: sekurlsa::logonpasswords
        KlzXRW4Ag7.dllINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x10444a:$h1: Hid_State
        • 0x1169b0:$h1: Hid_State
        • 0x10445e:$h2: Hid_StealthMode
        • 0x1169d0:$h2: Hid_StealthMode
        • 0x10447e:$h3: Hid_HideFsDirs
        • 0x1169f0:$h3: Hid_HideFsDirs
        • 0x10449c:$h4: Hid_HideFsFiles
        • 0x116a10:$h4: Hid_HideFsFiles
        • 0x1044bc:$h5: Hid_HideRegKeys
        • 0x116a30:$h5: Hid_HideRegKeys
        • 0x1044dc:$h6: Hid_HideRegValues
        • 0x116a50:$h6: Hid_HideRegValues
        • 0x104500:$h7: Hid_IgnoredImages
        • 0x116a80:$h7: Hid_IgnoredImages
        • 0x104524:$h8: Hid_ProtectedImages
        • 0x116ab0:$h8: Hid_ProtectedImages
        • 0x108d66:$s1: FLTMGR.SYS
        • 0x11c6da:$s1: FLTMGR.SYS
        • 0x1092e2:$s2: HAL.dll
        • 0x105e86:$s3: \SystemRoot\System32\csrss.exe
        • 0x118630:$s3: \SystemRoot\System32\csrss.exe
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
          00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
            00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
              Process Memory Space: loaddll32.exe PID: 5460JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                Process Memory Space: rundll32.exe PID: 7128JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  3.2.rundll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  0.2.loaddll32.exe.1010b380.2.raw.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xb630:$h1: Hid_State
                  • 0xb650:$h2: Hid_StealthMode
                  • 0xb670:$h3: Hid_HideFsDirs
                  • 0xb690:$h4: Hid_HideFsFiles
                  • 0xb6b0:$h5: Hid_HideRegKeys
                  • 0xb6d0:$h6: Hid_HideRegValues
                  • 0xb700:$h7: Hid_IgnoredImages
                  • 0xb730:$h8: Hid_ProtectedImages
                  • 0x1135a:$s1: FLTMGR.SYS
                  • 0xd2b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  4.2.rundll32.exe.1010b380.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  4.2.rundll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  0.2.loaddll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  Click to see the 25 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6540, TargetFilename: C:\Users\Public\Documents\MM

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: KlzXRW4Ag7.dllAvira: detected
                  Multi AV Scanner detection for submitted file
                  Source: KlzXRW4Ag7.dllReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
                  Machine Learning detection for sample
                  Source: KlzXRW4Ag7.dllJoe Sandbox ML: detected
                  Source: KlzXRW4Ag7.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.4537914253.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, svchos.exe.4.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.4537914253.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, svchos.exe.4.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dll
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,0_2_100254C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,3_2_100254C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,3_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,3_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,3_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009B60 FindFirstFileA,FindClose,FindClose,3_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,3_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,3_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_1002E040
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then test byte ptr [101218F4h], 00000008h0_2_1003E318
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm70_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_1002E040
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then test byte ptr [101218F4h], 00000008h3_2_1003E318
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm73_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014060 InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,#823,HttpQueryInfoA,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strstr,strstr,#825,strstr,strncpy,strstr,#825,strstr,strncat,strstr,#825,InternetOpenA,InternetConnectA,InternetCloseHandle,sprintf,sprintf,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,sprintf,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,atol,#823,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,MultiByteToWideChar,#823,MultiByteToWideChar,#825,WideCharToMultiByte,#823,WideCharToMultiByte,#825,strstr,#825,#825,0_2_10014060
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: http://ptlogin2.qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: http://qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1725680900780/4.txt
                  Source: loaddll32.exe, 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1725680900780/4.txthttps://
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: https://ssl.ptlogin2.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
                  Source: rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture and log keystrokes
                  Source: C:\Windows\System32\loaddll32.exeCode function: <BackSpace>0_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: <Enter>0_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <BackSpace>3_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <Enter>3_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_100026B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_10002770
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_100029D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_10017BB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,3_2_100026B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,3_2_10002770
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_100029D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,3_2_10017BB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B840 GetKeyState,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcatA,lstrlenA,lstrcatA,lstrcatA,0_2_1000B840

                  E-Banking Fraud

                  barindex
                  Checks if browser processes are running
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: KlzXRW4Ag7.dll, type: SAMPLEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: KlzXRW4Ag7.dll, type: SAMPLEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: KlzXRW4Ag7.dll, type: SAMPLEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 3.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010190 AttachConsole,AttachConsole,Sleep,AttachConsole,GetConsoleProcessList,GetConsoleProcessList,#823,GetConsoleProcessList,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,#825,FreeConsole,FreeConsole,Sleep,FreeConsole,TerminateProcess,swprintf,SHDeleteKeyA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetSystemDirectoryA,GetSystemDirectoryA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,GetSystemDirectoryA,lstrcatA,DeleteFileA,LocalFree,free,free,free,GetWindowsDirectoryA,GetCurrentProcess,IsWow64Process,DeleteFileA,SetServiceStatus,ExitProcess,0_2_10010190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010640 ExitWindowsEx,0_2_10010640
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010640 ExitWindowsEx,3_2_10010640
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,3_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100580600_2_10058060
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100810900_2_10081090
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100971900_2_10097190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100041D00_2_100041D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003B2100_2_1003B210
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A2600_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100932B00_2_100932B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E2D00_2_1007E2D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E4700_2_1003E470
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100373F00_2_100373F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003C4120_2_1003C412
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A4200_2_1001A420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005B4200_2_1005B420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A5800_2_1000A580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E5800_2_1007E580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100965800_2_10096580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100935E00_2_100935E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100945E00_2_100945E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100356970_2_10035697
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100287B00_2_100287B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100297D00_2_100297D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E4900_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100308D00_2_100308D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100599000_2_10059900
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100809100_2_10080910
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E9600_2_1007E960
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10095A100_2_10095A10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005BAB00_2_1005BAB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007FAF00_2_1007FAF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10081AF00_2_10081AF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10091B300_2_10091B30
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003BB900_2_1003BB90
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10082D700_2_10082D70
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10059DB00_2_10059DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10083DB00_2_10083DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007ADD00_2_1007ADD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10084DD00_2_10084DD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037E100_2_10037E10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005AEA00_2_1005AEA0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10093F400_2_10093F40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023F600_2_10023F60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10078F700_2_10078F70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100580603_2_10058060
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100810903_2_10081090
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100971903_2_10097190
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100041D03_2_100041D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003B2103_2_1003B210
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002A2603_2_1002A260
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100932B03_2_100932B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E2D03_2_1007E2D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E4703_2_1003E470
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100373F03_2_100373F0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003C4123_2_1003C412
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001A4203_2_1001A420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005B4203_2_1005B420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000A5803_2_1000A580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E5803_2_1007E580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100965803_2_10096580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100935E03_2_100935E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100945E03_2_100945E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100356973_2_10035697
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100287B03_2_100287B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100297D03_2_100297D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E4903_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100308D03_2_100308D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100599003_2_10059900
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100809103_2_10080910
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E9603_2_1007E960
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10095A103_2_10095A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005BAB03_2_1005BAB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007FAF03_2_1007FAF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10081AF03_2_10081AF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10091B303_2_10091B30
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003BB903_2_1003BB90
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10082D703_2_10082D70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10059DB03_2_10059DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10083DB03_2_10083DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007ADD03_2_1007ADD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10084DD03_2_10084DD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10037E103_2_10037E10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005AEA03_2_1005AEA0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10093F403_2_10093F40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023F603_2_10023F60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10078F703_2_10078F70
                  Source: C:\Windows\System32\loaddll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: KlzXRW4Ag7.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: KlzXRW4Ag7.dll, type: SAMPLEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: KlzXRW4Ag7.dll, type: SAMPLEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: KlzXRW4Ag7.dll, type: SAMPLEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 3.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: KlzXRW4Ag7.dllBinary string: \Device\QAssist\DosDevices\QAssistQAssist!InitializeDevice[irql:%d,pid:%d][error]: Error, device creation failed with code:%08x
                  Source: KlzXRW4Ag7.dllBinary string: \Device\QAssist\DosDevices\QAssist
                  Source: KlzXRW4Ag7.dllBinary string: \??\\Device\\SystemRoot\QAssist!CheckProtectedOperation[irql:%d,pid:%d][warning]: Warning, can't update initial state for process: %p
                  Source: KlzXRW4Ag7.dllBinary string: \Device\
                  Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_100290C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_1001B690
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,3_2_100290C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,3_2_1001B690
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,0_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100270F0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_100270F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A100 CoInitialize,CoCreateInstance,GetDriveTypeA,SysFreeString,SysFreeString,CoUninitialize,0_2_1001A100
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KlzXRW4Ag7.dll,Shellex
                  Source: KlzXRW4Ag7.dllReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KlzXRW4Ag7.dll,Shellex
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KlzXRW4Ag7.dll,ShellexJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: KlzXRW4Ag7.dllStatic file information: File size 1269760 > 1048576
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.4537914253.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, svchos.exe.4.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.4537914253.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, svchos.exe.4.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dll
                  Source: svchos.exe.4.drStatic PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC]
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: KlzXRW4Ag7.dllStatic PE information: section name: .rodata
                  Source: KlzXRW4Ag7.dllStatic PE information: section name: .rotext
                  Source: svchos.exe.4.drStatic PE information: section name: .didat
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002D080 push eax; ret 0_2_1002D0AE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002D080 push eax; ret 3_2_1002D0AE

                  Persistence and Installation Behavior

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE03_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10025AA0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,0_2_10025AA0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos.exeJump to dropped file

                  Boot Survival

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE03_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,0_2_1001D150
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_1001D150
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E540 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_1000E540
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,0_2_10001140
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D4A00_2_1001D4A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DA700_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D4A03_2_1001D4A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DA703_2_1001DA70
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-21816
                  Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                  Source: C:\Windows\System32\loaddll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,0_2_10019930
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,3_2_10019930
                  Source: C:\Windows\System32\loaddll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-21955
                  Source: C:\Windows\System32\loaddll32.exeAPI coverage: 2.3 %
                  Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.8 %
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DA700_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DA703_2_1001DA70
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,3_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,3_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,3_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009B60 FindFirstFileA,FindClose,FindClose,3_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,3_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,3_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,0_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100174C0 BlockInput,BlockInput,BlockInput,0_2_100174C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A580 LocalAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,LocalFree,LocalFree,LocalFree,FreeLibrary,LocalReAlloc,0_2_1000A580

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to automate explorer (e.g. start an application)
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,3_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,3_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe0_2_1000ED10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe3_2_1000ED10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021410 _access,GetModuleFileNameA,ShellExecuteExA,ShellExecuteExA,GetLastError,exit,_access,_access,Sleep,WinExec,WinExec,_access,WinExec,Sleep,_access,Sleep,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,Shellex,0_2_10021410
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100209D0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_100209D0
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
                  Source: KlzXRW4Ag7.dllBinary or memory string: Shell_TrayWndProgmanDwmapi.dllDwmIsCompositionEnabledDwmEnableCompositiondwmapi.dllrunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\\AppData\Roaming\Microsoft\Skype for DesktopSkype.exedel /s /f %appdata%\Mozilla\Firefox\Profiles\*.dbfirefox.exe\AppData\Roaming\360se6\User Data\Default360se6.exe\AppData\Local\Tencent\QQBrowser\User Data\DefaultQQBrowser.exe\AppData\Roaming\SogouExplorerSogouExplorer.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SetupSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Progman
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A8230 cpuid 0_2_100A8230
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002340 GetWindowLongA,PostQuitMessage,SetWindowLongA,GetModuleHandleA,LoadIconA,SetClassLongA,DestroyWindow,GetDlgItemTextA,GetDlgItem,SetFocus,GetLocalTime,sprintf,GetDlgItem,GetDlgItem,GetWindowTextLengthA,GetWindowTextLengthA,SetWindowTextA,GetWindowTextLengthA,SendMessageA,SendMessageA,SendMessageA,SetDlgItemTextA,GetDlgItem,SetFocus,0_2_10002340
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A260 RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,wsprintfA,RegCloseKey,wsprintfA,GetComputerNameA,GetTickCount,wsprintfA,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,wsprintfA,ReleaseDC,wsprintfA,wsprintfA,wsprintfA,GetCommandLineA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,FindWindowA,GetWindow,GetWindowTextA,GetWindow,GetClassNameA,GlobalMemoryStatusEx,0_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001E020 GetVersionExA,GetModuleFileNameA,sprintf,WaitForSingleObject,CloseHandle,FindWindowA,FindWindowA,Sleep,FindWindowA,Sleep,FindWindowA,CloseHandle,ExitProcess,0_2_1001E020

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Contains functionality to modify windows services which are used for security filtering and protection
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10026980 OpenServiceA 00000000,sharedaccess,000F01FF0_2_10026980

                  Stealing of Sensitive Information

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: KlzXRW4Ag7.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Mimikatz
                  Source: Yara matchFile source: KlzXRW4Ag7.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5460, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7128, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1868, type: MEMORYSTR
                  Yara detected Nitol
                  Source: Yara matchFile source: KlzXRW4Ag7.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: KlzXRW4Ag7.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Nitol
                  Source: Yara matchFile source: KlzXRW4Ag7.dll, type: SAMPLE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023650 socket,bind,getsockname,inet_addr,0_2_10023650
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,0_2_10023A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023650 socket,bind,getsockname,inet_addr,3_2_10023650
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,3_2_10023A10

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		111
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Service Execution                  		1
                  Create Account                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt111
                  Windows Service                  		1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		SteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit                  		111
                  Windows Service                  		1
                  Timestomp                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script23
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets15
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Network Share Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync12
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
                  Process Injection                  		Proc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Rundll32                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Indicator Removal                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557653 Sample: KlzXRW4Ag7.dll Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 9 loaddll32.exe 1 2->9         started        process3 signatures4 48 Found evasive API chain (may stop execution after checking mutex) 9->48 50 Contains functionality to automate explorer (e.g. start an application) 9->50 52 Contains functionality to infect the boot sector 9->52 54 4 other signatures 9->54 12 rundll32.exe 1 9->12         started        15 cmd.exe 1 9->15         started        17 conhost.exe 9->17         started        process5 signatures6 56 Found evasive API chain (may stop execution after checking mutex) 12->56 58 Contains functionality to automate explorer (e.g. start an application) 12->58 60 Contains functionality to infect the boot sector 12->60 62 3 other signatures 12->62 19 cmd.exe 12->19         started        21 cmd.exe 12->21         started        23 rundll32.exe 1 15->23         started        process7 file8 26 conhost.exe 19->26         started        28 conhost.exe 21->28         started        38 C:\Users\Public\Documents\MM\svchos.exe, PE32 23->38 dropped 30 cmd.exe 2 23->30         started        32 cmd.exe 23->32         started        process9 process10 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  KlzXRW4Ag7.dll68%ReversingLabsWin32.Downloader.GhostRAT
                  KlzXRW4Ag7.dll100%AviraBDS/Zegost.lloamn
                  KlzXRW4Ag7.dll100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Documents\MM\svchos.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://localhost.ptlogin2.qq.com:4301%sAccept-Language:0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt0%Avira URL Cloudsafe
                  http://ptlogin2.qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1725680900780/4.txt0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1725680900780/4.txthttps://0%Avira URL Cloudsafe
                  https://ssl.ptlogin2.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  http://qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ssl.ptlogin2.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                    		high
                    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1725680900780/4.txthttps://loaddll32.exe, 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://localhost.ptlogin2.qq.com:4301%sAccept-Language:loaddll32.exe, rundll32.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                      		high
                      https://ssl.ptlogin2.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ptlogin2.qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                        		high
                        http://ptlogin2.qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1725680900780/4.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                          		high
                          https://localhost.ptlogin2.qq.com:4301%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4538412273.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538391702.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, KlzXRW4Ag7.dllfalse
                            		high
                            http://qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1557653
                            Start date and time:2024-11-18 14:16:46 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 23s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:KlzXRW4Ag7.dll
                            renamed because original name is a hash value
                            Original Sample Name:cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4.dll
                            Detection:MAL
                            Classification:mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 9
                            • Number of non-executed functions: 279
                            Cookbook Comments:
                            • Found application associated with file extension: .dll
                            • Override analysis time to 240s for rundll32

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • VT rate limit hit for: KlzXRW4Ag7.dll

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\Public\Documents\MM\svchos.exeZfJheGhddq.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                              PD5dVJNpz7.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                7YtmCkMUx3.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                  tROeAyXq2X.exeGet hashmaliciousMimikatz, RunningRATBrowse
                                    me.exeGet hashmaliciousRunningRATBrowse
                                      gE4NVCZDRk.exeGet hashmaliciousBdaejec, RunningRATBrowse
                                        uHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse
                                          ofR1Hd4NPM.exeGet hashmaliciousRunningRATBrowse
                                            9JQ3JboYdz.exeGet hashmaliciousRunningRATBrowse
                                              3B1TaPwSlt.exeGet hashmaliciousRunningRATBrowse

                                                Created / dropped Files

                                                C:\Users\Public\Documents\MM\svchos.exe

                                                Download File
                                                Process:C:\Windows\SysWOW64\rundll32.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):61440
                                                Entropy (8bit):6.199746098562656
                                                Encrypted:false
                                                SSDEEP:1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
                                                MD5:889B99C52A60DD49227C5E485A016679
                                                SHA1:8FA889E456AA646A4D0A4349977430CE5FA5E2D7
                                                SHA-256:6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
                                                SHA-512:08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: ZfJheGhddq.dll, Detection: malicious, Browse
                                                • Filename: PD5dVJNpz7.dll, Detection: malicious, Browse
                                                • Filename: 7YtmCkMUx3.dll, Detection: malicious, Browse
                                                • Filename: tROeAyXq2X.exe, Detection: malicious, Browse
                                                • Filename: me.exe, Detection: malicious, Browse
                                                • Filename: gE4NVCZDRk.exe, Detection: malicious, Browse
                                                • Filename: uHmFQqHIIA.exe, Detection: malicious, Browse
                                                • Filename: ofR1Hd4NPM.exe, Detection: malicious, Browse
                                                • Filename: 9JQ3JboYdz.exe, Detection: malicious, Browse
                                                • Filename: 3B1TaPwSlt.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.332882557246355
                                                TrID:
                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                • DOS Executable Generic (2002/1) 0.20%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:KlzXRW4Ag7.dll
                                                File size:1'269'760 bytes
                                                MD5:e51727b49e9c42d20db8ecdc7e20e0ae
                                                SHA1:7777702d55eb92fe4f4ce2edbaf1dc2db83ae68b
                                                SHA256:cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
                                                SHA512:21de811db4d043c863159f83b2137c30053635309ecb87071b3d0be80dec92af2063b1864e976d16c9f3601b9461fdfadc2234e44d890d91ea88c4d8d122f6df
                                                SSDEEP:24576:ssh4GJrUiQGtGMNBihr/abS73/iBtKB32Sttm7izM5GrkQPXHMtR1tD1bZtTkRxw:4Wr1fTkM
                                                TLSH:04455C43E2B64CA3D7D80034EC6AE7B677347A1C97F786737240EDD6B5A22907D2421A
                                                File Content Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........q!_..r_..r_..r...r^..ri..rY..rx.dr]..r../re..r_..r...r0..r^..r0..r[..r0..r[..r$..rX..r...rX..ri..r]..ri..r]..r..@r[..r..Br@..

                                                File Icon

                                                Icon Hash:7ae282899bbab082

                                                Static PE Info

                                                General

                                                Entrypoint:0x1002d2eb
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x10000000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                DLL Characteristics:
                                                Time Stamp:0x670B6EF9 [Sun Oct 13 06:55:53 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:6718574bfa82ab04bcaf82fa9136fc6c

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                push ebx
                                                mov ebx, dword ptr [ebp+08h]
                                                push esi
                                                mov esi, dword ptr [ebp+0Ch]
                                                push edi
                                                mov edi, dword ptr [ebp+10h]
                                                test esi, esi
                                                jne 00007F38744F138Bh
                                                cmp dword ptr [1012F214h], 00000000h
                                                jmp 00007F38744F13A8h
                                                cmp esi, 01h
                                                je 00007F38744F1387h
                                                cmp esi, 02h
                                                jne 00007F38744F13A4h
                                                mov eax, dword ptr [10158640h]
                                                test eax, eax
                                                je 00007F38744F138Bh
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                test eax, eax
                                                je 00007F38744F138Eh
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F38744F129Ah
                                                test eax, eax
                                                jne 00007F38744F1386h
                                                xor eax, eax
                                                jmp 00007F38744F13D0h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F38744E54FAh
                                                cmp esi, 01h
                                                mov dword ptr [ebp+0Ch], eax
                                                jne 00007F38744F138Eh
                                                test eax, eax
                                                jne 00007F38744F13B9h
                                                push edi
                                                push eax
                                                push ebx
                                                call 00007F38744F1276h
                                                test esi, esi
                                                je 00007F38744F1387h
                                                cmp esi, 03h
                                                jne 00007F38744F13A8h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F38744F1265h
                                                test eax, eax
                                                jne 00007F38744F1385h
                                                and dword ptr [ebp+0Ch], eax
                                                cmp dword ptr [ebp+0Ch], 00000000h
                                                je 00007F38744F1393h
                                                mov eax, dword ptr [10158640h]
                                                test eax, eax
                                                je 00007F38744F138Ah
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                mov dword ptr [ebp+0Ch], eax
                                                mov eax, dword ptr [ebp+0Ch]
                                                pop edi
                                                pop esi
                                                pop ebx
                                                pop ebp
                                                retn 000Ch
                                                jmp dword ptr [100B7424h]
                                                jmp dword ptr [100B7420h]
                                                jmp dword ptr [100B7418h]
                                                jmp dword ptr [100B73F4h]
                                                jmp dword ptr [100B73BCh]
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                jmp dword ptr [00000000h]

                                                Rich Headers

                                                Programming Language:
                                                • [ C ] VS98 (6.0) SP6 build 8804
                                                • [IMP] VS2005 build 50727
                                                • [C++] VS98 (6.0) SP6 build 8804
                                                • [ C ] VS98 (6.0) build 8168
                                                • [C++] VS98 (6.0) build 8168
                                                • [EXP] VC++ 6.0 SP5 build 8804
                                                • [LNK] VS98 (6.0) imp/exp build 8168

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xf97400x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xf70880x190.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1990000x10.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x19a0000x66a8.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xb70000x754.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x97d6a0x98000c7c687c7750f0f0cdf4c99a5f47bf546False0.40282239412006576data6.772840324028508IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rodata0x990000x2e500x30000ca3681ca0d1b13e402ba8d29971b5f2False0.28173828125data6.052273401613891IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rotext0x9c0000x1ae920x1b000feea7fb2aafa1df6f6a0eec408bdf924False0.14991138599537038data5.997790228248824IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0xb70000x427800x43000539f948a75f40984fadd6fe94509566bFalse0.09627885960820895data3.5858151876910833IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xfa0000x9e7e00x320005b419db0d004ef8750963479c36ed883False0.2993994140625data5.522832873199925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x1990000x100x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x19a0000x803e0x90006b35bb8326d6b6f119a625b7dee08e9eFalse0.5600043402777778data5.559794854272469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Imports

                                                DLLImport
                                                KERNEL32.dllProcess32First, GetSystemDirectoryA, TerminateProcess, OpenProcess, ExitProcess, GetVersion, DeviceIoControl, Beep, GetVersionExA, GetModuleFileNameA, WinExec, TerminateThread, GetTickCount, GetCommandLineA, FreeConsole, GetCurrentProcessId, GetConsoleProcessList, AttachConsole, GetWindowsDirectoryA, WideCharToMultiByte, MultiByteToWideChar, GlobalSize, QueryPerformanceFrequency, QueryPerformanceCounter, LoadLibraryW, GlobalMemoryStatusEx, GetDriveTypeA, ReleaseMutex, CreateMutexA, GetCurrentThread, GetEnvironmentVariableA, GetCurrentThreadId, CreatePipe, CopyFileA, lstrcpyW, Module32Next, lstrcmpiA, Module32First, CreateRemoteThread, GetProcessId, ResumeThread, OpenThread, Thread32Next, Thread32First, SuspendThread, Process32Next, GlobalMemoryStatus, GetComputerNameA, GetPrivateProfileStringA, SystemTimeToTzSpecificLocalTime, lstrcpynA, lstrcmpA, lstrcatA, CreateProcessA, GetProcAddress, lstrcpyA, CreateDirectoryA, GetLastError, DeleteFileA, GetCurrentProcess, IsWow64Process, SetFilePointer, WriteFile, CreateFileA, GetFileSize, ReadFile, lstrlenA, FreeLibrary, IsBadReadPtr, VirtualProtect, HeapReAlloc, HeapAlloc, GetProcessHeap, HeapFree, CancelIo, SetEvent, ResetEvent, CreateEventA, LocalAlloc, LocalReAlloc, LocalSize, LocalFree, Sleep, GetFileAttributesA, GetModuleHandleA, GetLocalTime, GlobalAlloc, GlobalLock, GlobalFree, GlobalUnlock, CreateThread, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, VirtualFree, DeleteCriticalSection, InitializeCriticalSection, InterlockedExchange, CreateToolhelp32Snapshot, GetFileAttributesExA, FileTimeToSystemTime, MoveFileA, SetFileAttributesA, RemoveDirectoryA, FindFirstFileA, FindNextFileA, FindClose, GetLogicalDriveStringsA, GetVolumeInformationA, GetPriorityClass, GetDiskFreeSpaceExA, WaitForSingleObject, CloseHandle, LoadLibraryA, GetSystemInfo
                                                USER32.dllSetRect, GetCursorPos, GetCursorInfo, PostMessageA, SetCursorPos, WindowFromPoint, SetCapture, MapVirtualKeyA, SystemParametersInfoA, ReleaseDC, BlockInput, DestroyCursor, LoadCursorA, GetDC, GetSystemMetrics, ChangeDisplaySettingsA, FindWindowA, ShowWindow, MoveWindow, GetWindowRect, SwapMouseButton, ExitWindowsEx, EnumWindows, GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA, CharNextA, GetDesktopWindow, wsprintfA, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, GetWindowLongA, PostQuitMessage, SetWindowLongA, LoadIconA, SetClassLongA, DestroyWindow, SetFocus, GetWindowTextLengthA, SetWindowTextA, SetDlgItemTextA, CreateDialogIndirectParamA, GetDlgItem, SetWindowPos, OpenInputDesktop, GetDlgItemTextA, CloseDesktop, GetThreadDesktop, GetUserObjectInformationA, SetThreadDesktop, GetWindowThreadProcessId, WaitForInputIdle, GetClassNameA, GetWindow, GetLastInputInfo, IsIconic, MessageBoxA, IsWindowVisible, GetMessageA, IsDialogMessageA, TranslateMessage, SendMessageA, DispatchMessageA
                                                GDI32.dllGetDeviceCaps, CreateDIBSection, CreateCompatibleDC, DeleteObject, DeleteDC, BitBlt, GetRegionData, CombineRgn, CreateRectRgnIndirect, GetDIBits, CreateCompatibleBitmap, SelectObject
                                                ADVAPI32.dllRegOpenKeyA, GetTokenInformation, LookupAccountSidA, AbortSystemShutdownA, RegCloseKey, RegOpenKeyExA, GetUserNameA, CloseEventLog, ClearEventLogA, OpenEventLogA, RegSetValueExA, RegCreateKeyA, StartServiceA, CloseServiceHandle, OpenServiceA, OpenSCManagerA, SetServiceStatus, DeleteService, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AllocateAndInitializeSid, RegEnumValueA, RegEnumKeyExA, RegQueryValueExA, RegDeleteValueA, RegDeleteKeyA, RegQueryInfoKeyA, RegCreateKeyExA, UnlockServiceDatabase, ChangeServiceConfigA, LockServiceDatabase, ControlService, QueryServiceStatus, QueryServiceConfig2A, QueryServiceConfigA, EnumServicesStatusA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, CheckTokenMembership
                                                SHELL32.dllShellExecuteExA, SHGetFolderPathA, SHGetSpecialFolderPathA, SHGetFileInfoA, ShellExecuteA
                                                ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
                                                OLEAUT32.dllSysFreeString
                                                MFC42.DLL
                                                MSVCRT.dll_adjust_fdiv, _initterm, _onexit, __dllonexit, ??1type_info@@UAE@XZ, _snprintf, swprintf, _splitpath, strncpy, atol, strncat, realloc, fgets, srand, time, isdigit, _iob, _access, wcstombs, mbstowcs, _errno, _wcsupr, _strcmpi, _itoa, _strnicmp, fprintf, sscanf, getenv, vsprintf, exit, __CxxFrameHandler, memmove, ceil, _ftol, strstr, wcslen, wcscpy, sprintf, printf, fclose, fopen, remove, atoi, free, malloc, strncmp, _CIpow, floor, strchr, tolower, _CxxThrowException, _stricmp, _except_handler3, strrchr, _strlwr, wcsstr, rand, system
                                                MSVCP60.dll??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z, ?_Xlen@std@@YAXXZ, ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Xran@std@@YAXXZ, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z, ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ??0Init@ios_base@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ
                                                WINMM.dllmciSendStringA, waveInGetNumDevs
                                                WS2_32.dllgethostname, inet_addr, getsockname, bind, getpeername, accept, listen, sendto, recvfrom, ntohs, inet_ntoa, send, closesocket, recv, select, gethostbyname, connect, setsockopt, WSAIoctl, WSACleanup, WSAStartup, __WSAFDIsSet, ioctlsocket, socket, htons
                                                iphlpapi.dllGetIfTable
                                                dwmapi.dllDwmIsCompositionEnabled
                                                SHLWAPI.dllPathFindFileNameA, PathUnquoteSpacesA, PathRemoveArgsA, PathGetArgsA, SHDeleteKeyA
                                                WININET.dllInternetGetConnectedState, InternetReadFile, HttpSendRequestA, InternetOpenUrlA, HttpOpenRequestA, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpQueryInfoA
                                                NETAPI32.dllNetUserSetInfo, NetUserAdd, NetUserGetLocalGroups, NetApiBufferFree, NetUserGetInfo, NetUserEnum, NetLocalGroupAddMembers, NetUserDel
                                                PSAPI.DLLGetProcessMemoryInfo, GetModuleFileNameExA
                                                WTSAPI32.dllWTSEnumerateSessionsA, WTSDisconnectSession, WTSLogoffSession, WTSQuerySessionInformationA, WTSFreeMemory, WTSQuerySessionInformationW

                                                Exports

                                                NameOrdinalAddress
                                                Shellex10x1001efd0

                                                Network Behavior

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 18, 2024 14:18:26.997052908 CET5350259162.159.36.2192.168.2.5
                                                Nov 18, 2024 14:18:27.880229950 CET53502271.1.1.1192.168.2.5

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\loaddll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:loaddll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll"
                                                Imagebase:0x380000
                                                File size:126'464 bytes
                                                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:1
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:2
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:3
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\KlzXRW4Ag7.dll,Shellex
                                                Imagebase:0x3b0000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000003.00000002.4538448585.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:4
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe "C:\Users\user\Desktop\KlzXRW4Ag7.dll",#1
                                                Imagebase:0x3b0000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000004.00000002.4538432688.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:5
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:08:17:39
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:1%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:50%
                                                  Total number of Nodes:244
                                                  Total number of Limit Nodes:11
                                                  execution_graph 21793 1001efd0 12 API calls 21874 1001b660 GetModuleHandleA 21793->21874 21795 1001f1d6 21796 1001b660 3 API calls 21795->21796 21797 1001f258 21796->21797 21798 1001b660 3 API calls 21797->21798 21799 1001f2c9 21798->21799 21800 1001b660 3 API calls 21799->21800 21801 1001f3ed 21800->21801 21802 1001b660 3 API calls 21801->21802 21803 1001f54e 21802->21803 21804 1001b660 3 API calls 21803->21804 21805 1001f67b 21804->21805 21806 1001b660 3 API calls 21805->21806 21807 1001f729 21806->21807 21808 1001b660 3 API calls 21807->21808 21809 1001f7c3 21808->21809 21810 1001b660 3 API calls 21809->21810 21811 1001f80d 21810->21811 21812 1001b660 3 API calls 21811->21812 21813 1001f893 21812->21813 21814 1001b660 3 API calls 21813->21814 21815 1001f93e GetCurrentThreadId PostThreadMessageA 21814->21815 21816 1001f959 InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 21815->21816 21818 1001fa63 21816->21818 21819 1001fa52 GetLastError 21816->21819 21821 1001fe86 21818->21821 21822 1001fadf 21818->21822 21819->21818 21820 1001fec6 21819->21820 21878 1001ab20 21821->21878 21824 1001fc40 21822->21824 21825 1001faeb strstr 21822->21825 21824->21820 21827 1001fc4c 21824->21827 21828 1001fb07 Sleep 21825->21828 21829 1001fb18 21825->21829 21826 1001fea1 21832 1001feb5 Sleep 21826->21832 21833 1001fea8 21826->21833 21893 1001e440 15 API calls 21827->21893 21835 1001ef90 24 API calls 21828->21835 21888 1001fee0 OpenSCManagerA OpenServiceA CloseServiceHandle CloseServiceHandle CloseServiceHandle 21829->21888 21885 1001ef90 21832->21885 21896 1001e440 15 API calls 21833->21896 21835->21828 21836 1001fb22 21840 1001fbb6 sprintf 21836->21840 21841 1001fb2d 21836->21841 21839 1001fc5f 21839->21820 21845 1001fc98 sprintf 21839->21845 21890 1001e440 15 API calls 21840->21890 21848 1001fb52 OpenSCManagerA 21841->21848 21849 1001fba5 Sleep 21841->21849 21842 1001feb2 21842->21832 21851 1001fd01 21845->21851 21846 1001fc15 21891 1001ff30 9 API calls 21846->21891 21848->21849 21853 1001fb65 OpenServiceA 21848->21853 21854 1001ef90 24 API calls 21849->21854 21855 1001fe75 Sleep 21851->21855 21856 1001fd0a GetModuleFileNameA sprintf 21851->21856 21852 1001fc31 21892 1001ea60 9 API calls 21852->21892 21858 1001fba2 CloseServiceHandle 21853->21858 21859 1001fb7f StartServiceA 21853->21859 21854->21849 21864 1001ef90 24 API calls 21855->21864 21865 1001fdbc Sleep 21856->21865 21858->21849 21862 1001fba0 CloseServiceHandle 21859->21862 21863 1001fb8d CloseServiceHandle CloseServiceHandle 21859->21863 21861 1001fc39 ExitProcess 21862->21858 21889 1001ea60 9 API calls 21863->21889 21864->21855 21868 1001fe12 21865->21868 21867 1001fb99 ExitProcess 21894 1001e800 GetModuleHandleA LoadLibraryA GetProcAddress CloseHandle 21868->21894 21870 1001fe2d sprintf 21871 1001fe69 21870->21871 21895 1001ea60 9 API calls 21871->21895 21873 1001fe6e ExitProcess 21875 1001b670 LoadLibraryA 21874->21875 21876 1001b67b GetProcAddress 21874->21876 21875->21876 21877 1001b689 21875->21877 21876->21795 21877->21795 21897 10014700 LoadLibraryA GetProcAddress #823 #823 RegOpenKeyExA 21878->21897 21880 1001abc8 lstrlenA 21881 1001ac37 lstrlenA 21880->21881 21882 1001abd6 CreateFileA 21880->21882 21881->21826 21883 1001ac30 CloseHandle 21882->21883 21884 1001ac17 GetFileSize ReadFile 21882->21884 21883->21881 21884->21883 21925 1002bdb0 LoadLibraryA GetProcAddress 21885->21925 21887 1001efa7 WaitForSingleObject CloseHandle 21887->21832 21888->21836 21889->21867 21890->21846 21891->21852 21892->21861 21893->21839 21894->21870 21895->21873 21896->21842 21898 10014881 21897->21898 21899 10014899 21897->21899 21923 10014c12 RegCloseKey RegCloseKey 21898->21923 21902 10014a03 RegQueryValueExA 21899->21902 21903 100148c2 RegQueryValueExA 21899->21903 21904 10014ba2 wsprintfA 21899->21904 21905 10014908 RegQueryValueExA 21899->21905 21906 10014acc RegEnumValueA 21899->21906 21907 10014a30 RegEnumKeyExA 21899->21907 21908 10014bf5 lstrcatA 21899->21908 21909 10014bcf wsprintfA 21899->21909 21910 10014b58 wsprintfA 21899->21910 21911 10014b7d wsprintfA 21899->21911 21912 100149bc RegQueryValueExA 21899->21912 21919 100148ac 21899->21919 21921 100148f2 21899->21921 21902->21921 21903->21921 21904->21908 21920 10014934 21905->21920 21905->21921 21916 10014b44 21906->21916 21906->21921 21915 10014a78 wsprintfA 21907->21915 21907->21921 21908->21880 21909->21908 21910->21908 21911->21908 21914 100149e8 wsprintfA 21912->21914 21912->21921 21913 10014894 #825 #825 21913->21880 21914->21921 21915->21907 21916->21904 21916->21908 21916->21909 21916->21910 21916->21911 21919->21902 21919->21903 21919->21904 21919->21905 21919->21908 21919->21909 21919->21910 21919->21911 21919->21912 21919->21921 21920->21921 21922 1001494e strncat strncat strchr 21920->21922 21924 10014c12 RegCloseKey RegCloseKey 21921->21924 21922->21920 21923->21913 21924->21913 21926 1002bdf3 CreateThread LoadLibraryA GetProcAddress 21925->21926 21927 1002be35 CloseHandle 21926->21927 21928 1002bcb0 21926->21928 21927->21887 21934 10010ca0 21928->21934 21930 1002bcee LoadLibraryA GetProcAddress 21931 1002bd5e 21930->21931 21932 1002bd69 21931->21932 21935 1002bfa0 14 API calls 21931->21935 21934->21930 21935->21932 21936 1002d2eb 21937 1002d2fe 21936->21937 21942 1002d307 21936->21942 21939 1002d32f 21937->21939 21951 100214b0 21937->21951 21938 1002d323 21965 1002d240 malloc _initterm free 21938->21965 21942->21937 21942->21938 21942->21939 21943 1002d32b 21943->21937 21945 1002d34f 21945->21939 21946 1002d358 21945->21946 21967 1002d240 malloc _initterm free 21946->21967 21947 1002d347 21966 1002d240 malloc _initterm free 21947->21966 21950 1002d360 21950->21939 21952 10021588 21951->21952 21953 100214be 21951->21953 21952->21939 21952->21945 21952->21947 21968 10021410 _access 21953->21968 21955 100214c3 _access 21956 100214e0 WinExec _access 21955->21956 21957 10021521 Sleep 21955->21957 21956->21957 21958 10021500 WinExec Sleep _access 21956->21958 21991 10020f70 21957->21991 21958->21957 21958->21958 21960 1002152d CreateThread 21961 10021551 CreateThread 21960->21961 21962 1002154e CloseHandle 21960->21962 22075 10020fd0 96 API calls 21960->22075 21963 10021566 CloseHandle 21961->21963 21964 10021569 Shellex 21961->21964 22074 100211c0 41 API calls 21961->22074 21962->21961 21963->21964 21964->21952 21965->21943 21966->21945 21967->21950 21969 10021434 21968->21969 21970 1002142b 21968->21970 21969->21955 21996 100209d0 AllocateAndInitializeSid 21970->21996 21973 1002143d GetModuleFileNameA 21973->21969 21974 10021453 21973->21974 21975 1002145b ShellExecuteExA 21974->21975 21976 10021497 GetLastError 21975->21976 21977 1002149f exit 21975->21977 21976->21975 21978 100214b0 21977->21978 21979 10021588 21978->21979 21980 10021410 123 API calls 21978->21980 21979->21955 21981 100214c3 _access 21980->21981 21982 100214e0 WinExec _access 21981->21982 21983 10021521 Sleep 21981->21983 21982->21983 21984 10021500 WinExec Sleep _access 21982->21984 21985 10020f70 8 API calls 21983->21985 21984->21983 21984->21984 21986 1002152d CreateThread 21985->21986 21987 10021551 CreateThread 21986->21987 21988 1002154e CloseHandle 21986->21988 22022 10020fd0 _access 21986->22022 21989 10021566 CloseHandle 21987->21989 21990 10021569 Shellex 21987->21990 21999 100211c0 _access 21987->21999 21988->21987 21989->21990 21990->21979 22071 10020f30 GetModuleFileNameA 21991->22071 21993 10020f7a 21994 10020f81 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21993->21994 21995 10020f9f GetLastError ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21993->21995 21994->21960 21995->21960 21997 10020a36 21996->21997 21998 10020a1a CheckTokenMembership FreeSid 21996->21998 21997->21969 21997->21973 21998->21997 22000 100212e1 Sleep CreateFileA 21999->22000 22001 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 21999->22001 22002 10021310 MessageBoxA 22000->22002 22003 10021327 GetFileSize 22000->22003 22004 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22001->22004 22005 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22001->22005 22007 100213f0 22002->22007 22008 10021335 MessageBoxA 22003->22008 22009 1002134e VirtualAlloc 22003->22009 22004->22005 22067 10020810 22 API calls 22005->22067 22010 100213e9 CloseHandle 22008->22010 22011 10021369 MessageBoxA 22009->22011 22012 1002137d ReadFile 22009->22012 22010->22007 22011->22010 22014 100213c7 MessageBoxA VirtualFree 22012->22014 22015 1002138e 22012->22015 22013 1002128d 22016 100212a5 22013->22016 22018 100212ab #825 22013->22018 22014->22010 22015->22014 22017 10021393 CloseHandle 22015->22017 22016->22000 22019 100212d8 #825 22016->22019 22021 100212d2 22016->22021 22020 100213a0 VirtualFree 22017->22020 22018->22016 22019->22000 22021->22000 22023 10021123 22022->22023 22024 10021009 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22022->22024 22025 100209d0 3 API calls 22023->22025 22026 10021063 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22024->22026 22027 1002103f ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22024->22027 22028 10021128 22025->22028 22068 10020810 22 API calls 22026->22068 22027->22026 22030 1002114e GetModuleFileNameA 22028->22030 22031 1002112c 22028->22031 22032 10021163 22030->22032 22033 10021131 22030->22033 22069 10020c20 41 API calls 22031->22069 22038 1002116e ShellExecuteExA 22032->22038 22035 100210b4 22036 100210cd 22035->22036 22037 100210d3 #825 22035->22037 22039 10021118 Sleep 22036->22039 22042 1002110f #825 22036->22042 22044 10021109 22036->22044 22037->22036 22040 100211a6 GetLastError 22038->22040 22041 100211ae exit 22038->22041 22039->22023 22040->22038 22043 100211c0 _access 22041->22043 22042->22039 22045 100212e1 Sleep CreateFileA 22043->22045 22046 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22043->22046 22044->22039 22047 10021310 MessageBoxA 22045->22047 22048 10021327 GetFileSize 22045->22048 22049 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22046->22049 22050 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22046->22050 22052 100213f0 22047->22052 22053 10021335 MessageBoxA 22048->22053 22054 1002134e VirtualAlloc 22048->22054 22049->22050 22070 10020810 22 API calls 22050->22070 22055 100213e9 CloseHandle 22053->22055 22056 10021369 MessageBoxA 22054->22056 22057 1002137d ReadFile 22054->22057 22055->22052 22056->22055 22058 100213c7 MessageBoxA VirtualFree 22057->22058 22059 1002138e 22057->22059 22058->22055 22059->22058 22061 10021393 CloseHandle 22059->22061 22060 100212a5 22060->22045 22064 100212d8 #825 22060->22064 22066 100212d2 22060->22066 22065 100213a0 VirtualFree 22061->22065 22062 1002128d 22062->22060 22063 100212ab #825 22062->22063 22063->22060 22064->22045 22066->22045 22067->22013 22068->22035 22069->22033 22070->22062 22072 10020f53 CopyFileA 22071->22072 22073 10020f4c 22071->22073 22072->21993 22073->21993

                                                  Executed Functions

                                                  Function 1001EFD0 Relevance: 417.3, APIs: 40, Strings: 198, Instructions: 780stringservicesleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 1001efd0-1001fa50 #823 lstrcpyA * 11 call 1001b660 * 11 GetCurrentThreadId PostThreadMessageA InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 25 1001fa63-1001faba 0->25 26 1001fa52-1001fa5d GetLastError 0->26 29 1001fad0-1001fad9 25->29 30 1001fabc-1001faca 25->30 26->25 27 1001fec6-1001fed2 26->27 31 1001fe86-1001fea6 call 1001ab20 29->31 32 1001fadf-1001fae5 29->32 30->29 42 1001feb5 31->42 43 1001fea8-1001feb2 call 1001e440 31->43 34 1001fc40-1001fc46 32->34 35 1001faeb-1001fb05 strstr 32->35 34->27 37 1001fc4c-1001fc92 call 1001e440 34->37 38 1001fb07 35->38 39 1001fb18-1001fb27 call 1001fee0 35->39 37->27 58 1001fc98-1001fd04 sprintf 37->58 40 1001fb0d-1001fb16 Sleep call 1001ef90 38->40 51 1001fbb6-1001fc3a sprintf call 1001e440 call 1001ff30 call 1001ea60 ExitProcess 39->51 52 1001fb2d-1001fb50 39->52 48 1001febb-1001febf Sleep call 1001ef90 42->48 43->42 57 1001fec4 48->57 62 1001fb52-1001fb63 OpenSCManagerA 52->62 63 1001fba5 52->63 57->48 69 1001fe75 58->69 70 1001fd0a-1001fe6f GetModuleFileNameA sprintf Sleep call 1001e800 sprintf call 1001ea60 ExitProcess 58->70 62->63 67 1001fb65-1001fb7d OpenServiceA 62->67 64 1001fbab-1001fbb4 Sleep call 1001ef90 63->64 72 1001fba2-1001fba3 CloseServiceHandle 67->72 73 1001fb7f-1001fb8b StartServiceA 67->73 74 1001fe7b-1001fe84 Sleep call 1001ef90 69->74 72->63 77 1001fba0 CloseServiceHandle 73->77 78 1001fb8d-1001fb9a CloseServiceHandle * 2 call 1001ea60 ExitProcess 73->78 77->72
                                                  APIs
                                                  • #823.MFC42(00000849), ref: 1001EFDF
                                                  • lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                  • lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                  • lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                  • lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                  • lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                  • lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                  • lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                  • lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                  • lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                  • lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                  • lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,759183C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetCurrentThreadId.KERNEL32 ref: 1001F94E
                                                  • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?), ref: 1001F955
                                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?), ref: 1001F973
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?), ref: 1001F987
                                                  • GetCommandLineA.KERNEL32 ref: 1001F9B1
                                                  • CreateMutexA.KERNELBASE(?,00000000,00000000), ref: 1001FA43
                                                  • GetLastError.KERNEL32 ref: 1001FA52
                                                  • strstr.MSVCRT ref: 1001FAFA
                                                  • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?), ref: 1001FB0F
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001FB59
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 1001FB6D
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001FB82
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB8F
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB92
                                                  • ExitProcess.KERNEL32 ref: 1001FB9A
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA0
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA3
                                                  • ExitProcess.KERNEL32 ref: 1001FC3A
                                                  • sprintf.MSVCRT ref: 1001FC05
                                                    • Part of subcall function 1001E440: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                    • Part of subcall function 1001E440: GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                    • Part of subcall function 1001E440: sprintf.MSVCRT ref: 1001E599
                                                  • Sleep.KERNEL32(00000032), ref: 1001FBAD
                                                    • Part of subcall function 1001EF90: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,75920F00,1001FEC4), ref: 1001EFAF
                                                    • Part of subcall function 1001EF90: CloseHandle.KERNEL32(00000000,?,?,?,?,?,75920F00,1001FEC4,?,?,?,?,?,?,?,?), ref: 1001EFB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$HandleService$Close$CreateDescriptorExitOpenProcessSecuritySleepThreadsprintf$#823AddressCommandCurrentDaclErrorFileInitializeLastLibraryLineLoadLocalManagerMessageModuleMutexObjectPostProcSingleStartTimeWaitstrstr
                                                  • String ID: -acsi$%$%$%$%$%$%$.$.$1.0$2$2$2$2$27.124.13.32$3$3$A$A$A$A$A$A$A$A$A$A$A$A$A$A$C$C$D$D$D$D$Default$E$E$E$E$F$F$F$F$G$G$G$G$Global\$I$I$K$L$L$M$M$N$P$P$R$S$S$S$S$S$S$S$S$T$V$a$a$a$a$a$a$a$a$a$b$b$c$c$c$c$c$d$d$d$g$g$g$g$g$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$o$o$o$open$p$p$p$p$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$v$v$v$x$y
                                                  • API String ID: 351596864-2051936253
                                                  • Opcode ID: 883ccdff635accb15a3438774b43736b792bf4128a22084744ad4c2a95e8cc9c
                                                  • Instruction ID: b4a9aafdaf77aaaa37ed98e4af6ccde984e3ddeee7ec680cf4f0b233b2d3cfa1
                                                  • Opcode Fuzzy Hash: 883ccdff635accb15a3438774b43736b792bf4128a22084744ad4c2a95e8cc9c
                                                  • Instruction Fuzzy Hash: B782057050C3C0DDE332C7688848BDFBED5ABA6708F48499DE5CC4A292D7BA5648C767
                                                  Function 10014700 Relevance: 63.4, APIs: 23, Strings: 13, Instructions: 428libraryregistryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 91 10014700-1001487f LoadLibraryA GetProcAddress #823 * 2 RegOpenKeyExA 92 10014881-10014894 call 10014c12 91->92 93 10014899-1001489f 91->93 119 10014c28-10014c53 #825 * 2 92->119 95 100148a5 93->95 96 100149ab-100149b7 call 10014c12 93->96 95->96 99 10014a03-10014a29 RegQueryValueExA 95->99 100 100148c2-100148ec RegQueryValueExA 95->100 101 10014ba2-10014bcd wsprintfA 95->101 102 100149a4 95->102 103 10014908-10014932 RegQueryValueExA 95->103 104 100148ac-100148b5 95->104 105 10014acc-10014b3e RegEnumValueA 95->105 106 10014bcf-10014bd4 95->106 107 10014a30-10014a72 RegEnumKeyExA 95->107 108 10014bf5-10014c0d lstrcatA 95->108 109 10014bd6 95->109 110 10014b58-10014b7b wsprintfA 95->110 111 10014b7d-10014ba0 wsprintfA 95->111 112 100149bc-100149e6 RegQueryValueExA 95->112 96->119 99->96 115 10014a2b 99->115 100->96 121 100148f2-10014906 call 10010c70 100->121 101->108 102->96 103->96 122 10014934-10014943 103->122 104->96 120 100148bb 104->120 105->96 117 10014b44-10014b4b 105->117 118 10014bdb-10014bf2 wsprintfA 106->118 107->96 116 10014a78-10014ac7 wsprintfA 107->116 109->118 110->108 111->108 112->96 114 100149e8-10014a01 wsprintfA 112->114 114->102 115->102 116->107 117->108 124 10014b51 117->124 118->108 120->96 120->99 120->100 120->101 120->103 120->106 120->108 120->109 120->110 120->111 120->112 129 10014986-100149a2 121->129 125 10014949-1001494c 122->125 124->101 124->106 124->108 124->109 124->110 124->111 126 10014980 125->126 127 1001494e-1001497e strncat * 2 strchr 125->127 126->129 127->125 129->102
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                  • #823.MFC42(?), ref: 10014763
                                                  • #823.MFC42(?,?), ref: 100147DA
                                                  • RegOpenKeyExA.KERNELBASE(00000000,1011EF78,00000000,00020019,?), ref: 1001487A
                                                    • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                    • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                  • #825.MFC42(?), ref: 10014C2F
                                                  • #825.MFC42(?,?), ref: 10014C38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825Close$AddressLibraryLoadOpenProc
                                                  • String ID: %-24s %-$%-24s %-15$'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n','$15s $ADVAPI32.dll$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$RegOpenKeyExA$[%s]$s %s
                                                  • API String ID: 625772149-2764046103
                                                  • Opcode ID: 0024f7a14ccc40860d22aef0d45ff9c672fe43e6c44d1ee7db042c9b09f00cf4
                                                  • Instruction ID: 6f0be5dfbe458e84bf84f3ea48d1999a7ba48aff042a9fed31ad65e4978857f0
                                                  • Opcode Fuzzy Hash: 0024f7a14ccc40860d22aef0d45ff9c672fe43e6c44d1ee7db042c9b09f00cf4
                                                  • Instruction Fuzzy Hash: D2E1A0B29005189BDB14CFA8CC84AEFB7B9FB88310F554359F61AA72D0DB759E44CB90
                                                  Function 10021410 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 126sleepprocessthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • _access.MSVCRT ref: 1002141D
                                                    • Part of subcall function 100209D0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                    • Part of subcall function 100209D0: CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                    • Part of subcall function 100209D0: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10021449
                                                  • ShellExecuteExA.SHELL32(?), ref: 10021491
                                                  • GetLastError.KERNEL32 ref: 10021497
                                                  • exit.MSVCRT ref: 100214A1
                                                  • _access.MSVCRT ref: 100214D0
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                  • _access.MSVCRT ref: 100214F6
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                  • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                  • _access.MSVCRT ref: 10021517
                                                  • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                  • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                  • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                  • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                  • Shellex.KLZXRW4AG7 ref: 1002157D
                                                    • Part of subcall function 1001EFD0: #823.MFC42(00000849), ref: 1001EFDF
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$_access$CloseCreateExecHandleSleepThread$#823AllocateCheckErrorExecuteFileFreeInitializeLastMembershipModuleNameShellShellexTokenexit
                                                  • String ID: 27.124.13.32$<$C:\Users\Public\Documents\MM$C:\Users\Public\Documents\MM\svchos.exe$cmd /c md C:\Users\Public\Documents\MM$runas
                                                  • API String ID: 2771109159-53182428
                                                  • Opcode ID: 27430460dbf95ed90b217e7b785691f14b10aa22f7afd86c63f1087f188c6101
                                                  • Instruction ID: a5a66a5d6db29b129cda308b9448f19d3f55c3e6fd715840f60853cf68b16c06
                                                  • Opcode Fuzzy Hash: 27430460dbf95ed90b217e7b785691f14b10aa22f7afd86c63f1087f188c6101
                                                  • Instruction Fuzzy Hash: E2313935640315ABF620E774AC81FCE3694EF90760F640625F758FB1D0DBB4A8444AA7
                                                  Function 1001AB20 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 92filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001ABCC
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC0A
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC1A
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC2A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC31
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                  • String ID: C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                  • API String ID: 1069036285-2757848780
                                                  • Opcode ID: 609c1d4d3e64c279bb3e05bdc0d160624767e379e680bce48e43df6b4370bf5c
                                                  • Instruction ID: 3141875a0b5f935918f5a9fe467541037c1485cf519d2f8b674b7d8fd7142dc0
                                                  • Opcode Fuzzy Hash: 609c1d4d3e64c279bb3e05bdc0d160624767e379e680bce48e43df6b4370bf5c
                                                  • Instruction Fuzzy Hash: 4631B831108790AFE311CB28CC54B9BBBD9EBC9704F444A1CFA99572D1D7B66A04CB66
                                                  Function 100214B0 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 75sleepprocessthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10021410: _access.MSVCRT ref: 1002141D
                                                  • _access.MSVCRT ref: 100214D0
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                  • _access.MSVCRT ref: 100214F6
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                  • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                  • _access.MSVCRT ref: 10021517
                                                  • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                  • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                  • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                  • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                  • Shellex.KLZXRW4AG7 ref: 1002157D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _access$CloseCreateExecHandleSleepThread$Shellex
                                                  • String ID: 27.124.13.32$C:\Users\Public\Documents\MM$cmd /c md C:\Users\Public\Documents\MM
                                                  • API String ID: 4276510029-3007588180
                                                  • Opcode ID: 20e2bacd56600247101a0d76b05947d608b166e4dfe2e919fe26800215592bbf
                                                  • Instruction ID: 1880b03a88d72aaaf0ef92517f44c92bb3935e227843c970e6865efee2f4d755
                                                  • Opcode Fuzzy Hash: 20e2bacd56600247101a0d76b05947d608b166e4dfe2e919fe26800215592bbf
                                                  • Instruction Fuzzy Hash: 8311CA39B80725B6F520A3B4AC82FDE2544DB90764F650671F758BF1C0DAA4BC4046AB
                                                  Function 1002BDB0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 54libraryloaderthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,1011EF78,75920F00,0000005C,00000000,00000000,75920F00,1001FEC4), ref: 1002BDDE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BDE7
                                                  • CreateThread.KERNELBASE(?,?,1002BCB0,?,?,?), ref: 1002BE15
                                                  • LoadLibraryA.KERNEL32(KERNEL32.DLL,WaitForSingleObject,?,?,?,?,?,?,?,?,?), ref: 1002BE27
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BE2A
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1002BE3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$CloseCreateHandleThread
                                                  • String ID: CreateEventA$KERNEL32.DLL$KERNEL32.dll$WaitForSingleObject
                                                  • API String ID: 2992130774-1666596002
                                                  • Opcode ID: c800617ab3dbc7c9181aee0f0c1a98709263ac96f1036b6d438902c36e0c1d87
                                                  • Instruction ID: aae6743072f6a8d9501bf0052794d8238d47c4e4bd1befa635d5ea895d29fa21
                                                  • Opcode Fuzzy Hash: c800617ab3dbc7c9181aee0f0c1a98709263ac96f1036b6d438902c36e0c1d87
                                                  • Instruction Fuzzy Hash: 6D110C75608355AFD600DFA88C84F9BBBE8EBC8350F544A0DF698D3251C674E9058BA2
                                                  Function 10020F70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10020F30: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CC1A3D8,1011FA90,?,?,1002152D), ref: 10020F8C
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,1002152D), ref: 10020F93
                                                  • GetLastError.KERNEL32(?,?,1002152D), ref: 10020F9F
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CC1A3D8,1011FA78,00000000,?,?,1002152D), ref: 10020FB2
                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z.MSVCP60(?,?,?,?,1002152D), ref: 10020FBD
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,?,?,1002152D), ref: 10020FC4
                                                  Strings
                                                  • C:\Users\Public\Documents\MM\svchos.exe, xrefs: 10020F70
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@?endl@std@@D@std@@@0@D@std@@@1@V10@V21@@$??6?$basic_ostream@D@std@@@std@@ErrorFileLastModuleNameV01@
                                                  • String ID: C:\Users\Public\Documents\MM\svchos.exe
                                                  • API String ID: 481592904-2419483700
                                                  • Opcode ID: 11c2651b4c957b662908a6a8ac08819276dd940225fc1f4fbb4c02f7e860f6d8
                                                  • Instruction ID: 9191cda62355793243e74b4be4f538ad042f30efc769aff6ca936ed64aa651f9
                                                  • Opcode Fuzzy Hash: 11c2651b4c957b662908a6a8ac08819276dd940225fc1f4fbb4c02f7e860f6d8
                                                  • Instruction Fuzzy Hash: 9EE065B8A103106BE745A7F4AC8D9AA37D8FF4050670C1A78FD0EE6161EB39D2149711
                                                  Function 10020F30 Relevance: 3.0, APIs: 2, Instructions: 18fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 184 10020f30-10020f4a GetModuleFileNameA 185 10020f53-10020f6e CopyFileA 184->185 186 10020f4c-10020f52 184->186
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                  • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10020F62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CopyModuleName
                                                  • String ID:
                                                  • API String ID: 4108865673-0
                                                  • Opcode ID: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                  • Instruction ID: 93f4a3cd88c2ae214515ddcb3b57ab60d0dfeb708720a14bb37e431ebb366a02
                                                  • Opcode Fuzzy Hash: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                  • Instruction Fuzzy Hash: BCE012F95443006BF314DB58DCC6FE636A8BB80B00FC44918F79C851D0E6F59598C662
                                                  Function 10014C12 Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 187 10014c12-10014c27 RegCloseKey * 2
                                                  APIs
                                                  • RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                  • RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                  • Instruction ID: cb428774d1c23af65b3502e581b01568c295d1083760601ce9be51a3606d3d50
                                                  • Opcode Fuzzy Hash: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                  • Instruction Fuzzy Hash: 8BB09B759240389BDF54DB64DC449C937687B48200B050586B51CA3150C931AD808F90

                                                  Non-executed Functions

                                                  Function 1000A580 Relevance: 218.3, APIs: 110, Strings: 14, Instructions: 1298memorylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 1000A591
                                                  • LoadLibraryA.KERNEL32 ref: 1000A5A9
                                                  • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 1000A5C1
                                                  • GetProcAddress.KERNEL32(00000000,AllocateAndGetUdpExTableFromStack), ref: 1000A5CB
                                                  • GetProcAddress.KERNEL32(00000000,InternalGetTcpTable2), ref: 1000A5E7
                                                  • GetProcessHeap.KERNEL32(00000001), ref: 1000A602
                                                  • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000AD8C
                                                  • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000ADAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHeapProcProcess$AllocLibraryLoadLocal
                                                  • String ID: %s:%u$*.*.*.*:*$AllocateAndGetTcpExTableFromStack$AllocateAndGetUdpExTableFromStack$CLOSE_WAIT$FIN_WAIT1$FIN_WAIT2$InternalGetTcpTable2$InternalGetUdpTableWithOwnerPid$LAST_ACK$TIME_WAIT$[TCP]$[UDP]$iphlpapi.dll
                                                  • API String ID: 370057222-305753129
                                                  • Opcode ID: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                  • Instruction ID: 3878becebeafeda62e551408519d1494f05c47cd3e4fb1777d1cfee609c89dcd
                                                  • Opcode Fuzzy Hash: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                  • Instruction Fuzzy Hash: 53A2C1766083159FC324CF28CC449ABB7E5FBC9710F554A2DF94A93281DA74ED0ACB92
                                                  Function 1002A260 Relevance: 201.8, APIs: 29, Strings: 86, Instructions: 535registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32 ref: 1002A387
                                                  • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000000,?,?), ref: 1002A3B6
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002A3C1
                                                  • GetSystemInfo.KERNEL32(?), ref: 1002A3CF
                                                  • wsprintfA.USER32 ref: 1002A3F8
                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000043,00000000,00000001,?), ref: 1002A551
                                                  • RegQueryValueExA.ADVAPI32(00000001,ProcessorNameString,00000000,?,?,00000043), ref: 1002A59F
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002A5EF
                                                  • GetComputerNameA.KERNEL32(?,secorPlartneC), ref: 1002A645
                                                    • Part of subcall function 1002A180: WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?,?,75A78400,?), ref: 1002A19F
                                                    • Part of subcall function 1002A180: WTSFreeMemory.WTSAPI32(?,00000000,000000FF,00000005,?,?,?,75A78400,?), ref: 1002A1D0
                                                  • GetTickCount.KERNEL32 ref: 1002A65B
                                                  • wsprintfA.USER32 ref: 1002A6AB
                                                  • GetDC.USER32(00000000), ref: 1002A6B2
                                                  • GetDeviceCaps.GDI32(00000000,00000075), ref: 1002A6C3
                                                  • GetDeviceCaps.GDI32(00000000,00000076), ref: 1002A6C9
                                                  • wsprintfA.USER32 ref: 1002A6D9
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1002A6E1
                                                  • wsprintfA.USER32 ref: 1002A705
                                                  • wsprintfA.USER32 ref: 1002A727
                                                  • wsprintfA.USER32 ref: 1002A740
                                                  • GetCommandLineA.KERNEL32 ref: 1002A745
                                                  • wsprintfA.USER32 ref: 1002A759
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 1002A773
                                                  • wsprintfA.USER32 ref: 1002A807
                                                  • wsprintfA.USER32 ref: 1002A81F
                                                  • FindWindowA.USER32(?,00000000), ref: 1002A869
                                                  • GetWindowTextA.USER32(00000000,?,00000104), ref: 1002A8CA
                                                  • GetWindow.USER32(00000000,00000002), ref: 1002A9AA
                                                  • GetClassNameA.USER32(00000000,?,00000104), ref: 1002A9BC
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 1002A9DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wsprintf$NameQueryWindow$CapsCloseDeviceMemoryOpenValue$ClassCommandComputerCountFindFreeGlobalInfoInformationLineReleaseSessionStatusSystemTextTickUser
                                                  • String ID: %d * %d$%d*%dMHz$%s%s%s$0$A$A$A$A$C$C$C$C$CTXOPConntion_Class$D$D$D$D$E$E$E$E$H$H$I$I$I$I$N$N$O$O$P$P$P$P$ProcessorNameString$R$R$R$R$R$R$S$S$S$S$T$T$W$W$a$a$c$c$e$e$e$e$e$e$l$l$m$m$n$n$o$o$o$r$r$r$r$r$s$s$s$s$secorPlartneC$t$t$t$t$y$y$~MHz
                                                  • API String ID: 2087514681-3067132264
                                                  • Opcode ID: 4f9ab5874d6a9c99b09c8cf713a4fbc8110c896916dccf8130dbf9304e53c7af
                                                  • Instruction ID: 19f55457f820712e8733c4ae9a1eff4e9f613d46929fbac302733e88d6f4d938
                                                  • Opcode Fuzzy Hash: 4f9ab5874d6a9c99b09c8cf713a4fbc8110c896916dccf8130dbf9304e53c7af
                                                  • Instruction Fuzzy Hash: 3D22E13050C7C19EE325C638C854B9BBFD5ABD2304F484A5DF6D94B282DBBA9908C767
                                                  Function 10014060 Relevance: 149.4, APIs: 67, Strings: 18, Instructions: 633networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 1001410A
                                                  • InternetConnectA.WININET(00000000,00000000,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 1001413A
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001414B
                                                  Strings
                                                  • , xrefs: 10014100
                                                  • HTTP/1.1, xrefs: 10014170, 10014410
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 10014082
                                                  • Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded, xrefs: 100140CB
                                                  • /cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23, xrefs: 100140B4
                                                  • /pt_get_uins?callback=ptui_getuins_CB&r=%s&%s, xrefs: 100143F3
                                                  • 0.9475416028552021, xrefs: 100143E7
                                                  • GET, xrefs: 10014176, 10014416
                                                  • pt_local_tk=, xrefs: 100142B5
                                                  • groups, xrefs: 100146D3
                                                  • localhost.ptlogin2.qq.com, xrefs: 100140E0
                                                  • pt_local_token=, xrefs: 10014280
                                                  • Set-Cookie: , xrefs: 1001430E, 1001435F
                                                  • xui.ptlogin2.qq.com, xrefs: 100140A2
                                                  • nickname, xrefs: 1001464D
                                                  • uin, xrefs: 10014658
                                                  • Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10014456
                                                  • friends, xrefs: 100146B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseConnectHandleOpen
                                                  • String ID: $/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23$/pt_get_uins?callback=ptui_getuins_CB&r=%s&%s$0.9475416028552021$Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded$GET$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$Set-Cookie: $friends$groups$localhost.ptlogin2.qq.com$nickname$pt_local_tk=$pt_local_token=$uin$xui.ptlogin2.qq.com
                                                  • API String ID: 1463438336-3428588184
                                                  • Opcode ID: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                  • Instruction ID: 10a0a4d67c7a86b0295143d81d79a2071c775b89c22be300c5b0aaeb6ee9b044
                                                  • Opcode Fuzzy Hash: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                  • Instruction Fuzzy Hash: C20249766047047BE310DA68DC45FEF73D9EBC4720F450A29FA05E7280EF79E90586A6
                                                  Function 1001E020 Relevance: 135.0, APIs: 11, Strings: 66, Instructions: 273sleepsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,759183C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetVersionExA.KERNEL32(?), ref: 1001E264
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001E292
                                                  • sprintf.MSVCRT ref: 1001E2AD
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001E31B
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E34D
                                                  • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E377
                                                  • FindWindowA.USER32(#32770,1011F92C), ref: 1001E391
                                                  • Sleep.KERNEL32(0000012C), ref: 1001E3A1
                                                  • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E3AD
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E414
                                                  • ExitProcess.KERNEL32 ref: 1001E433
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FindHandleLibraryWindow$AddressCloseLoadModuleProc$ExitFileFreeNameObjectProcessSingleSleepVersionWaitsprintf
                                                  • String ID: #32770$%s -acsi$-rsvc$-wait$.$.$2$2$3$3$A$A$A$A$C$C$D$E$E$E$GINA Logon$H$I$K$L$P$S$S$V$a$a$a$c$c$d$d$d$i$i$l$l$l$l$l$l$n$n$r$r$r$r$r$r$s$s$t$t$t$t$t$t$u$v$v$v$x
                                                  • API String ID: 2386940797-994141675
                                                  • Opcode ID: 8e58b7cd7314048a3ca952b2694528a053f36a74f5ded9613e8870e3b733b8fc
                                                  • Instruction ID: 0b4892b23dda3fddd3321fbd9ae7e1bf2f5fae29934837064835f9396de239c3
                                                  • Opcode Fuzzy Hash: 8e58b7cd7314048a3ca952b2694528a053f36a74f5ded9613e8870e3b733b8fc
                                                  • Instruction Fuzzy Hash: EBC13D6040C7C49EE311C7788898B4FBFD5ABA6348F58495CF2D84B292D3BAD948C767
                                                  Function 10010190 Relevance: 126.4, APIs: 37, Strings: 35, Instructions: 380servicefilesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AttachConsole.KERNEL32(?), ref: 100101B3
                                                  • Sleep.KERNEL32(0000000A), ref: 100101BB
                                                  • AttachConsole.KERNEL32(?), ref: 100101C5
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 100101D8
                                                  • #823.MFC42(00000000), ref: 100101E9
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 100101F9
                                                  • GetCurrentProcessId.KERNEL32 ref: 10010203
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10010217
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10010226
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001022D
                                                  • #825.MFC42(00000000), ref: 1001023E
                                                  • FreeConsole.KERNEL32 ref: 1001024C
                                                  • Sleep.KERNEL32(0000000A), ref: 10010254
                                                  • FreeConsole.KERNEL32 ref: 1001025A
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 10010266
                                                  • swprintf.MSVCRT(?,\Registry\Machine\System\CurrentControlSet\Services\%S,1011F500,NTDLL.DLL,ZwUnloadDriver,NTDLL.DLL,RtlInitUnicodeString,SeLoadDriverPrivilege,00000001), ref: 10010304
                                                  • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 1001039A
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 100103A6
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00010000), ref: 100103BD
                                                  • DeleteService.ADVAPI32(00000000), ref: 100103D0
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100103D7
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100103DA
                                                  • GetSystemDirectoryA.KERNEL32 ref: 1001049F
                                                  • lstrcatA.KERNEL32(?,?), ref: 100104B4
                                                  • DeleteFileA.KERNEL32(?), ref: 100104C4
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10010509
                                                  • lstrcatA.KERNEL32(?,?), ref: 10010518
                                                  • DeleteFileA.KERNEL32(?), ref: 10010522
                                                  • LocalFree.KERNEL32(?), ref: 1001052A
                                                  • free.MSVCRT ref: 1001053D
                                                  • free.MSVCRT ref: 10010546
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1001055D
                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 10010568
                                                  • IsWow64Process.KERNEL32(00000000), ref: 1001056F
                                                  • DeleteFileA.KERNEL32(?), ref: 1001060E
                                                  • SetServiceStatus.ADVAPI32(?,1012BB80), ref: 1001062D
                                                  • ExitProcess.KERNEL32 ref: 1001063A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Console$DeleteService$CloseDirectoryFileFreeHandleOpen$AttachCurrentListSleepSystemTerminatefreelstrcat$#823#825ExitLocalManagerStatusWindowsWow64swprintf
                                                  • String ID: .$.$.sys$Host$MarkTime$NTDLL.DLL$P$RtlInitUnicodeString$SYSTEM\CurrentControlSet\Services\$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\Select$SYSTEM\Setup$SeLoadDriverPrivilege$V$ZwUnloadDriver$\$\$\Registry\Machine\System\CurrentControlSet\Services\%S$\sysnative\drivers\$\system32\drivers\$a$b$d$d$d$e$g$g$m$n$o$o$s$t$u
                                                  • API String ID: 2905031204-766513331
                                                  • Opcode ID: 5e9a9763105458d25da2cd9a7c8d780cd10ccc7712ec86b47248b6b2ff05a6d0
                                                  • Instruction ID: 0df2d05d1c38004283eae67fd2f714d6463ff2b246ad674028d2030a0443b284
                                                  • Opcode Fuzzy Hash: 5e9a9763105458d25da2cd9a7c8d780cd10ccc7712ec86b47248b6b2ff05a6d0
                                                  • Instruction Fuzzy Hash: 52D12235604354ABD310DB78CC88B9B7BD5EB84314F180A1DF689AB2D1DBB4ED44C7A6
                                                  Function 10019930 Relevance: 79.1, APIs: 44, Strings: 1, Instructions: 387stringmemoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LocalAlloc.KERNEL32(00000040,00000104), ref: 10019960
                                                  • OpenSCManagerA.ADVAPI32 ref: 10019977
                                                  • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199A3
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 100199AC
                                                  • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199CE
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000001), ref: 100199F4
                                                  • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?), ref: 10019A1A
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A27
                                                  • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 10019A3B
                                                  • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A55
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A62
                                                  • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A7A
                                                  • lstrcatA.KERNEL32(?,100FBD1C), ref: 10019ADB
                                                  • lstrcatA.KERNEL32(?,100FBD14), ref: 10019B06
                                                  • lstrlenA.KERNEL32(00000040), ref: 10019B1C
                                                  • lstrlenA.KERNEL32(?), ref: 10019B24
                                                  • lstrlenA.KERNEL32 ref: 10019B2F
                                                  • lstrlenA.KERNEL32(?), ref: 10019B3B
                                                  • lstrlenA.KERNEL32(?), ref: 10019B44
                                                  • lstrlenA.KERNEL32(?), ref: 10019B4C
                                                  • LocalSize.KERNEL32(?), ref: 10019B5E
                                                  • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10019B70
                                                  • lstrlenA.KERNEL32(?), ref: 10019B7E
                                                  • lstrlenA.KERNEL32(?), ref: 10019B88
                                                  • lstrlenA.KERNEL32(?), ref: 10019BB1
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019BC6
                                                  • lstrlenA.KERNEL32 ref: 10019BCF
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019BFA
                                                  • lstrlenA.KERNEL32 ref: 10019C0B
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019C14
                                                  • lstrlenA.KERNEL32(00000001), ref: 10019C3A
                                                  • lstrlenA.KERNEL32(?), ref: 10019C49
                                                  • lstrlenA.KERNEL32(?), ref: 10019C6B
                                                  • lstrlenA.KERNEL32(?), ref: 10019C81
                                                  • lstrlenA.KERNEL32(?), ref: 10019CA9
                                                  • lstrlenA.KERNEL32(?), ref: 10019CBB
                                                  • lstrlenA.KERNEL32(?), ref: 10019CC5
                                                  • lstrlenA.KERNEL32(?), ref: 10019CE9
                                                  • LocalFree.KERNEL32(?), ref: 10019CFE
                                                  • LocalFree.KERNEL32(00000000), ref: 10019D01
                                                  • CloseServiceHandle.ADVAPI32(?), ref: 10019D08
                                                  • LocalFree.KERNEL32(00000000), ref: 10019D3B
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019D42
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10019D50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Local$Service$Alloc$Query$FreeOpen$CloseConfigConfig2EnumHandleProcessServicesStatuslstrcat$CurrentManagerSizeToken
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 19575313-2896544425
                                                  • Opcode ID: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                  • Instruction ID: 602a72ac4dd89d5092f96c4d0856d720342e345610072c012a51b9f9dfb16572
                                                  • Opcode Fuzzy Hash: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                  • Instruction Fuzzy Hash: 37D12C75204306AFD714DF64CC84AABB7E9FBC8700F54491DFA46A7250DB74E909CBA2
                                                  Function 10001140 Relevance: 68.4, APIs: 22, Strings: 17, Instructions: 161libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1000115F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001168
                                                  • LoadLibraryA.KERNEL32 ref: 100011B4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011B7
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutClose), ref: 100011C7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011CA
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInStop), ref: 100011DA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011DD
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInReset), ref: 100011ED
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011F0
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInUnprepareHeader), ref: 10001200
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001203
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInClose), ref: 10001211
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001214
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutReset), ref: 10001224
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001227
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutUnprepareHeader), ref: 10001237
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000123A
                                                  • #825.MFC42(?), ref: 100012C4
                                                  • #825.MFC42(00000000,?), ref: 100012CC
                                                  • #825.MFC42(?,00000000,?), ref: 100012D5
                                                  • #825.MFC42(?,?,00000000,?), ref: 100012DE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#825
                                                  • String ID: C$H$KERNEL32.dll$TerminateThread$WINMM.dll$a$d$n$o$s$waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                                                  • API String ID: 345516743-2415744366
                                                  • Opcode ID: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                  • Instruction ID: 3b114dfad24d7eddf03eb2cbd10a89371148df8dda5889fc91158876db1259a3
                                                  • Opcode Fuzzy Hash: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                  • Instruction Fuzzy Hash: 605143B5904384ABDB10DF74CC88D5B7F98EFD9350F45094DFA8457206DA3AD845CBA1
                                                  Function 1001D150 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 176stringwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strstr$Window$IconicTextVisible
                                                  • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                  • API String ID: 4234658395-3439171801
                                                  • Opcode ID: b07a9358bbb95ddcce161cb76fe8d70c969f7287dfbfef8b9f07b457c4f792a8
                                                  • Instruction ID: c51c130f5ec414d40a0ba44ae9ee6f5576232b5ae9cd22d577f982d193c35258
                                                  • Opcode Fuzzy Hash: b07a9358bbb95ddcce161cb76fe8d70c969f7287dfbfef8b9f07b457c4f792a8
                                                  • Instruction Fuzzy Hash: 0B519379A0031676D604F6748DC4BCB36D8EF5458AF46483EF888CA040F739EB8986A3
                                                  Function 1001B250 Relevance: 54.5, APIs: 18, Strings: 13, Instructions: 271stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersionExA.KERNEL32 ref: 1001B28C
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,759223A0), ref: 1001A98A
                                                    • Part of subcall function 1001A8F0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9C4
                                                    • Part of subcall function 1001A8F0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9D4
                                                    • Part of subcall function 1001A8F0: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9E4
                                                    • Part of subcall function 1001A8F0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9EB
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,759223A0), ref: 1001A9F8
                                                    • Part of subcall function 1001A8F0: gethostname.WS2_32(?,?), ref: 1001AA00
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,759223A0), ref: 1001AA07
                                                  • getsockname.WS2_32(?), ref: 1001B2F6
                                                  • GetSystemInfo.KERNEL32(?,?,?,00000100,?,00000010,00000004), ref: 1001B363
                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B384
                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3CF
                                                  • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3EA
                                                  • GetTickCount.KERNEL32 ref: 1001B496
                                                  • wsprintfA.USER32 ref: 1001B4B8
                                                  • wsprintfA.USER32 ref: 1001B4DF
                                                  • wsprintfA.USER32 ref: 1001B504
                                                  • wsprintfA.USER32 ref: 1001B52B
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B54C
                                                    • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AAA6
                                                    • Part of subcall function 1001AA20: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AAE3
                                                    • Part of subcall function 1001AA20: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AAF3
                                                    • Part of subcall function 1001AA20: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AB03
                                                    • Part of subcall function 1001AA20: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AB0A
                                                    • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AB11
                                                  • lstrcpyA.KERNEL32(?,?,?,00000100), ref: 1001B5B9
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B5C9
                                                  • GetLastInputInfo.USER32(?), ref: 1001B5E3
                                                  • GetTickCount.KERNEL32 ref: 1001B5E9
                                                  • _access.MSVCRT ref: 1001B608
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B62B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$lstrlen$lstrcpywsprintf$CloseCountCreateFreeHandleInfoLibraryReadSizeTick$AddressDiskDriveGlobalInputLastLoadMemoryProcSpaceStatusSystemTypeVersion_accessgethostnamegetsockname
                                                  • String ID: %$@$C:\ProgramData\jerrt.txt$D$Default$a$d$e$f$f$l$t$u
                                                  • API String ID: 429165215-739913618
                                                  • Opcode ID: 70d5d81430b9339b4b87a89870655033b63c12cfa3a1a37335c5909e745d7bab
                                                  • Instruction ID: 49f0004716d92fd24872b5ca3d35146abbc92b725903a05a1ef224c46368f530
                                                  • Opcode Fuzzy Hash: 70d5d81430b9339b4b87a89870655033b63c12cfa3a1a37335c5909e745d7bab
                                                  • Instruction Fuzzy Hash: C7A19DB55083859FD724CB68CC84BDBBBE9EBC8304F444A1DF58987241EB75A648CB62
                                                  Function 1001D4A0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 290sleepsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,?,?,10098BF2,000000FF), ref: 1001D4C8
                                                  • sprintf.MSVCRT ref: 1001D4E7
                                                    • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001D540
                                                  • GetFileAttributesA.KERNEL32(?), ref: 1001D595
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001D5AB
                                                  • wsprintfA.USER32 ref: 1001D5D2
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001D5E7
                                                  • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001D5F3
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D601
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D608
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                    • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                    • Part of subcall function 1001D390: EnumWindows.USER32(1001D150,?), ref: 1001D3A0
                                                  • Sleep.KERNEL32(000003E8), ref: 1001D64B
                                                  • Sleep.KERNEL32(000186A0), ref: 1001D665
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D67F
                                                  • GetTickCount.KERNEL32 ref: 1001D681
                                                  • GetTickCount.KERNEL32 ref: 1001D6AC
                                                  • GetTickCount.KERNEL32 ref: 1001D6F1
                                                  • GetTickCount.KERNEL32 ref: 1001D735
                                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D758
                                                  • GetTickCount.KERNEL32 ref: 1001D77B
                                                  • Sleep.KERNEL32(00000096,?,00000001), ref: 1001D79A
                                                  • GetTickCount.KERNEL32 ref: 1001D7B7
                                                  • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7C5
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7DA
                                                  • #825.MFC42(?), ref: 1001D866
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CountTick$Create$AttributesFileMutex$#825CloseD@2@@std@@D@std@@DirectoryEnumErrorEventGrow@?$basic_string@HandleLastObjectReleaseSingleStartupU?$char_traits@V?$allocator@WaitWindowssprintfsrandtimewsprintf
                                                  • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive1$MyService1$e
                                                  • API String ID: 287845118-1910566113
                                                  • Opcode ID: f11f717b0bb64e47d535752adfd154bb21221df42febd4936ae265985878b28d
                                                  • Instruction ID: 22485af986d77e159b4f55e830ffcdca838e4d5ba84670817061d6910cd8e50c
                                                  • Opcode Fuzzy Hash: f11f717b0bb64e47d535752adfd154bb21221df42febd4936ae265985878b28d
                                                  • Instruction Fuzzy Hash: ECA1B0351083818FE320FF748C85B9EB7E4EB85744F44492DF9899B281EB75E949CB62
                                                  Function 1001DA70 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 284sleepsynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001D890: GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                    • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D8C3
                                                    • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D904
                                                    • Part of subcall function 1001D890: isdigit.MSVCRT ref: 1001D93C
                                                    • Part of subcall function 1001D890: memmove.MSVCRT(?,?), ref: 1001D95D
                                                  • CreateThread.KERNEL32(00000000,00000000,1001D4A0,00000000,00000000,00000000), ref: 1001DAA4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,10098C22,000000FF), ref: 1001DAB4
                                                  • sprintf.MSVCRT ref: 1001DAD3
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001DB2C
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1001DB4F
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                    • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                  • GetFileAttributesA.KERNEL32(?), ref: 1001DB83
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001DB99
                                                  • wsprintfA.USER32 ref: 1001DBC0
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001DBD5
                                                  • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001DBE1
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBEF
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBF6
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DC3A
                                                  • GetTickCount.KERNEL32 ref: 1001DC40
                                                  • GetTickCount.KERNEL32 ref: 1001DC67
                                                  • GetTickCount.KERNEL32 ref: 1001DCAC
                                                  • GetTickCount.KERNEL32 ref: 1001DCF0
                                                  • GetTickCount.KERNEL32 ref: 1001DD0E
                                                  • Sleep.KERNEL32(00000064,?,00000001), ref: 1001DD2A
                                                  • GetTickCount.KERNEL32 ref: 1001DD46
                                                  • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD54
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD69
                                                  • #825.MFC42(?), ref: 1001DE12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountTick$Create$Sleep$CloseD@2@@std@@D@std@@FileHandleMutexU?$char_traits@V?$allocator@strrchr$#825AttributesDirectoryEos@?$basic_string@ErrorEventGrow@?$basic_string@LastModuleNameObjectReleaseSingleStartupThreadWaitisdigitmemmovesprintfsrandtimewsprintf
                                                  • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive$MyService$e
                                                  • API String ID: 4188121392-1841343700
                                                  • Opcode ID: b56300fe3b5f9186e28637c76ba7a62eb48c83d633883b35641bfb201d6253ea
                                                  • Instruction ID: 3dec9743cdb31eb7b3d2a406ac8a3200507690ed65feec82d8d096b96d7c3b57
                                                  • Opcode Fuzzy Hash: b56300fe3b5f9186e28637c76ba7a62eb48c83d633883b35641bfb201d6253ea
                                                  • Instruction Fuzzy Hash: 0FA1F6751083419BE320FF68CC85BABB7E4EF95744F04091DF9898B191DB75E988C752
                                                  Function 100029D0 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event
                                                  • String ID: /*/$C:\ProgramData\Microsoft Drive\De.ini$Loop stopped as 1.txt does not exist.$Received command to stop loop. De.ini deleted.$jieshuxunhuan
                                                  • API String ID: 4201588131-4242312597
                                                  • Opcode ID: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                  • Instruction ID: 368dbf102333d3f33aab7b414df493a5988d33fb55c3cd96ca69a7f772dd8b24
                                                  • Opcode Fuzzy Hash: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                  • Instruction Fuzzy Hash: 2771F7B5604209AFF340DF389C81D9F77DCEF95295F040629F98E93246EB21F94897A2
                                                  Function 1000BD50 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 207fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                  • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                  • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • _strcmpi.MSVCRT ref: 1000BE80
                                                  • _strcmpi.MSVCRT ref: 1000BE97
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BEB3
                                                  • #825.MFC42(?), ref: 1000BF08
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BF2D
                                                  • DeleteFileA.KERNEL32(?), ref: 1000BF42
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 1000BF7B
                                                  • FindClose.KERNEL32(00000000), ref: 1000BF8A
                                                  • RemoveDirectoryA.KERNEL32(?), ref: 1000BF98
                                                  • #825.MFC42(?), ref: 1000BFBA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$D@2@@0@FileFindHstd@@Tidy@?$basic_string@V10@V?$basic_string@$#825_strcmpi$?append@?$basic_string@CloseDeleteDirectoryEos@?$basic_string@FirstFreeze@?$basic_string@Grow@?$basic_string@NextRemoveV12@Xran@std@@
                                                  • String ID: *.*
                                                  • API String ID: 2724700886-438819550
                                                  • Opcode ID: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                  • Instruction ID: 3864407029e8fe6deab90730e0e99c0bea179ee7459791ed1101209935cd539f
                                                  • Opcode Fuzzy Hash: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                  • Instruction Fuzzy Hash: F371E2754087859FE710DF24CC94AEEBBE4FB84380F444A2DF985872A5DB31A909CF52
                                                  Function 10002340 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 194windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongA.USER32(?,000000EB), ref: 10002357
                                                  • PostQuitMessage.USER32(00000000), ref: 10002387
                                                  • SetWindowLongA.USER32(?,000000EB,?), ref: 100023A9
                                                  • GetModuleHandleA.KERNEL32(00000000,00000066), ref: 100023B3
                                                  • LoadIconA.USER32(00000000), ref: 100023BA
                                                  • SetClassLongA.USER32(?,000000F2,00000000), ref: 100023C4
                                                  • DestroyWindow.USER32(?), ref: 100023EA
                                                  Strings
                                                  • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 10002513
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongWindow$ClassDestroyHandleIconLoadMessageModulePostQuit
                                                  • String ID: %s %d/%d/%d %d:%02d:%02d %s
                                                  • API String ID: 3894596752-2160474225
                                                  • Opcode ID: 71ee426ec52ac96b800ba058b76f018c381004c1f2ad94f77a13b9f177fee775
                                                  • Instruction ID: d2af19665e460a136ed527ce0edd71708edc4414983fc6f4408890acd1a64255
                                                  • Opcode Fuzzy Hash: 71ee426ec52ac96b800ba058b76f018c381004c1f2ad94f77a13b9f177fee775
                                                  • Instruction Fuzzy Hash: B35123765046166FF321CB28CCC5FEB77ACFF48351F184735FA4AD21C2CA69A9098661
                                                  Function 1002AB10 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 205stringfilememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                  • lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                  • strstr.MSVCRT ref: 1002AC63
                                                  • GetPrivateProfileStringA.KERNEL32(InternetShortcut,URL,1012B064,?,00000104,?), ref: 1002ACB3
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002ACBD
                                                  • lstrlenA.KERNEL32(?), ref: 1002ACC6
                                                  • LocalSize.KERNEL32(?), ref: 1002ACDC
                                                  • LocalReAlloc.KERNEL32(?,-00000400,00000042), ref: 1002ACF5
                                                  • lstrlenA.KERNEL32(?), ref: 1002AD05
                                                  • lstrlenA.KERNEL32(?), ref: 1002AD2F
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002AD49
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002AD79
                                                  • FindNextFileA.KERNEL32(?,?), ref: 1002AD95
                                                  • FindClose.KERNEL32(?), ref: 1002ADA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Find$FileLocallstrcat$AllocCloseFirstNextPrivateProfileSizeStringstrstr
                                                  • String ID: .$.url$InternetShortcut$URL$\*.*
                                                  • API String ID: 3365753205-65308377
                                                  • Opcode ID: e63e9152de1129cd35951aaa2ae2c7e1fc7b87241327d0f163e2eb89177713f7
                                                  • Instruction ID: cc37fed24d0c1b66707767c96a90d062405800f199f040c6933d0359f7a738dd
                                                  • Opcode Fuzzy Hash: e63e9152de1129cd35951aaa2ae2c7e1fc7b87241327d0f163e2eb89177713f7
                                                  • Instruction Fuzzy Hash: 326114752047549FC729CB34CC84AEBB7E6FBC5305F544A1DFA4A93290DE74A90ACB41
                                                  Function 100092A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 119filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,00000000,00000065), ref: 100092C6
                                                  • wsprintfA.USER32 ref: 1000931C
                                                  • FindFirstFileA.KERNEL32(?,?,100FA614,?,00000000,00000065), ref: 1000932E
                                                  • wsprintfA.USER32 ref: 10009390
                                                  • wsprintfA.USER32 ref: 100093BC
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100093D6
                                                  • DeleteFileA.KERNEL32(?), ref: 100093E4
                                                  • FindNextFileA.KERNEL32(?,?), ref: 100093F4
                                                  • FindClose.KERNEL32(?), ref: 10009407
                                                  • RemoveDirectoryA.KERNEL32(?), ref: 1000940E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Findwsprintf$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
                                                  • String ID: %$%$%$%$%$.$.
                                                  • API String ID: 1639472542-2249276185
                                                  • Opcode ID: 2aea8407af68d81cd95f83c23c264e41da61d6d8c13cdc5b19b50d3487b0f872
                                                  • Instruction ID: f315fa8c29fec55d318e772443d46c7a284ddb7c65990d14359b7e7e16f1a137
                                                  • Opcode Fuzzy Hash: 2aea8407af68d81cd95f83c23c264e41da61d6d8c13cdc5b19b50d3487b0f872
                                                  • Instruction Fuzzy Hash: A2417F7100D3C19EE711CB64DC48AEBBBE8ABD6344F084A5DF5C893291D6759608C76B
                                                  Function 1001A420 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 331COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowA.USER32(?,00000000), ref: 1001A481
                                                  • GetWindowTextA.USER32(00000000,759232F0,00000104), ref: 1001A4DC
                                                  • GetWindow.USER32(00000000,00000002), ref: 1001A586
                                                  • GetClassNameA.USER32(00000000,759232F0,00000104), ref: 1001A595
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001A5A4
                                                  • wsprintfA.USER32 ref: 1001A619
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\Destop.ini,?,00000001), ref: 1001A6C7
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\De.ini,?,00000001), ref: 1001A73B
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\id.ini,?,00000001), ref: 1001A774
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFileWindow$ClassCloseFindHandleNameTextwsprintf
                                                  • String ID: %s $C:\ProgramData\Microsoft Drive\De.ini$C:\ProgramData\Microsoft Drive\Destop.ini$C:\ProgramData\Microsoft Drive\id.ini$CTXOPConntion_Class$qq.exe
                                                  • API String ID: 2156150844-4244366814
                                                  • Opcode ID: c3d62f271ae4cf2f749e7f3db7bbdf53ba79ab53a3d0196b4ca422e2db9b4b53
                                                  • Instruction ID: c0ae37c25abf4f8968e68a42884e47e7a6172c3946883cabbb8bb6ed88b8f4aa
                                                  • Opcode Fuzzy Hash: c3d62f271ae4cf2f749e7f3db7bbdf53ba79ab53a3d0196b4ca422e2db9b4b53
                                                  • Instruction Fuzzy Hash: 3391F736614A081BC72CC57858556AB76C3EBC5370FA9073DFE6B9B2D1DEB8CD498240
                                                  Function 10008E50 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 162stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDriveStringsA.KERNEL32 ref: 10008E7D
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 10008EA9
                                                  • _strcmpi.MSVCRT ref: 10008EBC
                                                  • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 10008EE7
                                                  • CloseHandle.KERNEL32(00000000), ref: 10008EEE
                                                  • lstrlenA.KERNEL32(?), ref: 10008F02
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 10008F3D
                                                  • SHGetFileInfoA.SHELL32(?,00000080,?,00000160,00000410), ref: 10008F5B
                                                  • lstrlenA.KERNEL32(?), ref: 10008F69
                                                  • lstrlenA.KERNEL32(?), ref: 10008F77
                                                  • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008F96
                                                  • GetDriveTypeA.KERNEL32(?), ref: 10008FDD
                                                  • lstrlenA.KERNEL32(?), ref: 10009047
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Drive$CloseDiskFileFolderFreeHandleInfoInformationLogicalNamePathSpaceStringsTypeUserVolume_strcmpi
                                                  • String ID: SYSTEM$g
                                                  • API String ID: 545482129-3120117691
                                                  • Opcode ID: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                  • Instruction ID: c8429926c63601f6ea7d8031317dae8df0805160766070a83ab6d3e18fb45688
                                                  • Opcode Fuzzy Hash: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                  • Instruction Fuzzy Hash: 6B5180715083499FD710DF24C880AEBBBE9FBC8344F444A2DFA8997251D770AA09CB66
                                                  Function 100254C0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 193stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10025511
                                                  • wcstombs.MSVCRT ref: 10025552
                                                  • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002556E
                                                  • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002558A
                                                  • LocalAlloc.KERNEL32(00000040,00000400,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 100255AB
                                                  • lstrlenA.KERNEL32(1012C830), ref: 1002561B
                                                  • lstrlenA.KERNEL32(1012C830), ref: 1002563C
                                                  • lstrlenA.KERNEL32(?), ref: 1002564F
                                                  • lstrlenA.KERNEL32(?), ref: 10025671
                                                  • lstrlenA.KERNEL32(?), ref: 10025684
                                                  • lstrlenA.KERNEL32(?), ref: 100256A2
                                                  • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 100256D6
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$AllocBufferFreeLocalProcessToken$AdjustCloseCurrentEnumErrorHandleLastLookupOpenPrivilegePrivilegesUserValuewcstombs
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2919970077-2896544425
                                                  • Opcode ID: 78b1a1b6bc3f65b40ab018d4b6cefc02c7c13f6065461d46f6d2d4ba0711ab30
                                                  • Instruction ID: d8d1decd2f31ab53430c73caae2f2fe1ce980c6cfeca2b6418d927d0e1de58a4
                                                  • Opcode Fuzzy Hash: 78b1a1b6bc3f65b40ab018d4b6cefc02c7c13f6065461d46f6d2d4ba0711ab30
                                                  • Instruction Fuzzy Hash: 0F51D3716047159BC304DF68DC819AFB7E5FBC8700F84491DF686A7241DB35E90ACB96
                                                  Function 1000B840 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156keyboardsleepstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(0000000A), ref: 1000B8A6
                                                  • lstrlenA.KERNEL32(?), ref: 1000B8B1
                                                  • GetKeyState.USER32(00000010), ref: 1000B8FB
                                                  • GetAsyncKeyState.USER32(0000000D), ref: 1000B907
                                                  • GetKeyState.USER32(00000014), ref: 1000B914
                                                  • GetKeyState.USER32(00000014), ref: 1000B93C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$AsyncSleeplstrlen
                                                  • String ID: <BackSpace>$<Enter>
                                                  • API String ID: 43598291-3792472884
                                                  • Opcode ID: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                  • Instruction ID: 254073e1c1d6b0a9fa3052202c61483a4731d11cdb8d0cac1f822bb488184c88
                                                  • Opcode Fuzzy Hash: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                  • Instruction Fuzzy Hash: C3510471508B86ABF710DF64CC847AF73E9EB82384F010E2DEA5192194DB35D949C753
                                                  Function 1000E670 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82filesleepshutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32 ref: 1000E6D2
                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E705
                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,00000000,00000000), ref: 1000E719
                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E734
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000E737
                                                  • Sleep.KERNEL32(000007D0), ref: 1000E742
                                                  • GetVersion.KERNEL32 ref: 1000E748
                                                  • ExitWindowsEx.USER32(00000006,00000000), ref: 1000E768
                                                  • ExitProcess.KERNEL32 ref: 1000E770
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$ControlDeviceExitFile$CloseCreateCurrentHandleOpenSleepTokenVersionWindowsWrite
                                                  • String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
                                                  • API String ID: 554375110-3993181469
                                                  • Opcode ID: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                  • Instruction ID: f74105865133530c9c42a2179fda12015e9b4dafff81d6fb0ebd67d8a36456bb
                                                  • Opcode Fuzzy Hash: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                  • Instruction Fuzzy Hash: BE210735284751BBF230EB64DC4AFDB3B94BB84B10F240614FB697E1D0DAA465048B6A
                                                  Function 10009080 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175filememorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,00000065), ref: 100090AA
                                                  • wsprintfA.USER32 ref: 100090FA
                                                  • FindFirstFileA.KERNEL32(?,?,?,100FA614,?,00000065), ref: 10009110
                                                  • LocalAlloc.KERNEL32(00000040,00002800,00000000,?,00000065), ref: 10009146
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042,?,00000065), ref: 10009174
                                                  • lstrlenA.KERNEL32(?,?,00000065), ref: 10009203
                                                  • FindNextFileA.KERNEL32(?,?,?,00000065), ref: 10009256
                                                  • LocalFree.KERNEL32(00000000,?,00000065), ref: 10009272
                                                  • FindClose.KERNEL32(?,?,00000065), ref: 1000927D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FindLocal$AllocFilelstrlen$CloseFirstFreeNextwsprintf
                                                  • String ID: .$h
                                                  • API String ID: 4283800025-2131999284
                                                  • Opcode ID: 307e575320043b804115caed38cbac3ec8beb5b39f228cc1392b29c0c3c3f6ac
                                                  • Instruction ID: c7647cf31d52d82308ceeeae83e521db419cc323410b7d2ca49bf5210a9fd8ba
                                                  • Opcode Fuzzy Hash: 307e575320043b804115caed38cbac3ec8beb5b39f228cc1392b29c0c3c3f6ac
                                                  • Instruction Fuzzy Hash: EA51287560C3829BE710CF289C84ADBBBE5EF99384F144A58F8D897381D279990DC762
                                                  Function 10025AA0 Relevance: 18.1, APIs: 12, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AC9
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AD9
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AE2
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                    • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                  • NetUserAdd.NETAPI32 ref: 10025B38
                                                  • #825.MFC42(?), ref: 10025B46
                                                  • #825.MFC42(?,?), ref: 10025B50
                                                  • wcscpy.MSVCRT ref: 10025B94
                                                  • #825.MFC42(?), ref: 10025B9F
                                                  • #825.MFC42(?,?), ref: 10025BA9
                                                  • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BCC
                                                  • #825.MFC42(00000000,00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BD4
                                                  • LocalFree.KERNEL32(?,00000001,?,00000000,00000001,?,?), ref: 10025C05
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$lstrlen$ByteCharLocalMultiWide$#823FreeGroupMembersUserwcscpy
                                                  • String ID:
                                                  • API String ID: 3899135135-0
                                                  • Opcode ID: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                  • Instruction ID: dd9d3f93371bab7a31d82c422f9be74c5db956489815e8898b81c9b0b0312487
                                                  • Opcode Fuzzy Hash: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                  • Instruction Fuzzy Hash: 7D41B4B56083046BD710DB74DC81EAFB7ECEFC4704F44092DF58497242EAB9E9498B62
                                                  Function 1000ED10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                    • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000ED2D
                                                  • Process32First.KERNEL32(00000000,00000128), ref: 1000ED4F
                                                  • _strcmpi.MSVCRT ref: 1000ED70
                                                  • OpenProcess.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 1000ED81
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000ED8A
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000ED92
                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000), ref: 1000ED9C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32_strcmpi
                                                  • String ID: SeDebugPrivilege$explorer.exe
                                                  • API String ID: 3814622859-2721386251
                                                  • Opcode ID: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                  • Instruction ID: 17e0e04e845da399990fac659a5be735f6de37b5642c8976c51b599fa26cdcf9
                                                  • Opcode Fuzzy Hash: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                  • Instruction Fuzzy Hash: 9611D6B66003497BF310EBB0AC46FE7779CEB84381F440926FF05A2181EA65FD1846B2
                                                  Function 10023A10 Relevance: 15.1, APIs: 10, Instructions: 81networksleepthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                  • htons.WS2_32 ref: 10023A68
                                                  • bind.WS2_32 ref: 10023A83
                                                  • listen.WS2_32(00000000,00000032), ref: 10023A94
                                                  • accept.WS2_32(00000000,00000000,00000000), ref: 10023ABD
                                                  • malloc.MSVCRT ref: 10023AC3
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00023710,00000000,00000000,?), ref: 10023ADF
                                                  • Sleep.KERNEL32(000003E8), ref: 10023AEE
                                                  • CloseHandle.KERNEL32(00000000), ref: 10023AF7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateHandleSleepStartupThreadacceptbindhtonslistenmallocsocket
                                                  • String ID:
                                                  • API String ID: 1905318980-0
                                                  • Opcode ID: c5ab5da55ce875738ee350a318f10e2aae45705a3185965182b66f85494858ea
                                                  • Instruction ID: 56a3a21ef628f72f30326426070828200dff5f44208a3ceca9b41ec927aefec2
                                                  • Opcode Fuzzy Hash: c5ab5da55ce875738ee350a318f10e2aae45705a3185965182b66f85494858ea
                                                  • Instruction Fuzzy Hash: E121D6346483116BF310DF68EC8ABAB77E8FF84750F404628F698D62E0E7B199048627
                                                  Function 100026B0 Relevance: 15.1, APIs: 10, Instructions: 71clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 100026B3
                                                  • GetClipboardData.USER32(00000001), ref: 100026C7
                                                  • GlobalLock.KERNEL32(00000000), ref: 100026D8
                                                  • EmptyClipboard.USER32 ref: 100026F2
                                                  • GlobalAlloc.KERNEL32(00000002), ref: 1000270A
                                                  • GlobalLock.KERNEL32(00000000), ref: 10002717
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 1000273B
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 10002744
                                                  • GlobalUnlock.KERNEL32(?), ref: 1000274F
                                                  • CloseClipboard.USER32 ref: 10002755
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyOpen
                                                  • String ID:
                                                  • API String ID: 3065066218-0
                                                  • Opcode ID: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                  • Instruction ID: eef061908f3c3295b15891c3fed615895cfe21d81dbfaa5e572b4fb253c06cc9
                                                  • Opcode Fuzzy Hash: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                  • Instruction Fuzzy Hash: 1F1194392406255FF3189B758C9DA6B7BD8FB846A2F19032DF61AC32E0DFA0DC008660
                                                  Function 10026980 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1002699D
                                                  • OpenServiceA.ADVAPI32(00000000,sharedaccess,000F01FF), ref: 100269B0
                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100269BE
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269D3
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E0
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQueryStatusToken
                                                  • String ID: SeDebugPrivilege$sharedaccess
                                                  • API String ID: 3393504433-1846105483
                                                  • Opcode ID: ce8e6fc67a2ccba37952bd164af71141f4f10c9aa343a26c45b4f98af76cedcd
                                                  • Instruction ID: b575c87dfdc42cc8fbc6e1e748c8d9e8ce04e9065edd3bdd8c21b0b3396251f5
                                                  • Opcode Fuzzy Hash: ce8e6fc67a2ccba37952bd164af71141f4f10c9aa343a26c45b4f98af76cedcd
                                                  • Instruction Fuzzy Hash: 67F0F639650124BBE210BB548C8AFFB3E68FF99791F44011AF70CA9191EBB458448AB2
                                                  Function 10017BB0 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10017BB2
                                                  • EmptyClipboard.USER32 ref: 10017BBE
                                                  • GlobalAlloc.KERNEL32(00002000,?,?,?), ref: 10017BCE
                                                  • GlobalLock.KERNEL32(00000000), ref: 10017BDC
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10017BF9
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 10017C02
                                                  • GlobalFree.KERNEL32(00000000), ref: 10017C09
                                                  • CloseClipboard.USER32 ref: 10017C10
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                                                  • String ID:
                                                  • API String ID: 453615576-0
                                                  • Opcode ID: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                  • Instruction ID: db7201b96ab1820305f6fb52e99ee6ce304ff54deb9d779612551a26aa299f3d
                                                  • Opcode Fuzzy Hash: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                  • Instruction Fuzzy Hash: 61F036752016219FE7146B604CCCBEF36A8FB48752B490519F90AD6251CB649940C7B1
                                                  Function 100025B0 Relevance: 10.6, APIs: 7, Instructions: 60clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 100025B8
                                                  • GetClipboardData.USER32(00000001), ref: 100025C6
                                                  • GlobalLock.KERNEL32(00000000), ref: 100025CF
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10002609
                                                  • CloseClipboard.USER32 ref: 1000260F
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10002632
                                                  • CloseClipboard.USER32 ref: 10002638
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseUnlock$DataLockOpen
                                                  • String ID:
                                                  • API String ID: 2537359085-0
                                                  • Opcode ID: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                  • Instruction ID: fa833299b88c5f4a584283747ecb7ea9d0db2f1ad11210ff9961461b47ce4595
                                                  • Opcode Fuzzy Hash: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                  • Instruction Fuzzy Hash: 0001B5792106145BF3089B358C8DAAB3B98FBC0321F18072AF91B961E1EFE5ED048664
                                                  Function 1001B690 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                  • GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3398352648-0
                                                  • Opcode ID: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                  • Instruction ID: 9ea1a39ba13499be5e37f09f5477951cbb04746b7bbf0bdf0a23c0e989a9349b
                                                  • Opcode Fuzzy Hash: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                  • Instruction Fuzzy Hash: AA0144B9654300ABE304EF74CC89FAB77A4FB84700F88891CF64A86290D675D4448B61
                                                  Function 100290C0 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10029105
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1002911D
                                                  • GetLastError.KERNEL32 ref: 10029123
                                                  • CloseHandle.KERNEL32(?), ref: 10029134
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3398352648-0
                                                  • Opcode ID: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                  • Instruction ID: 4db5a6e2c7b4cb126f103a4b1f94b4cfd3d626149b56619aedb11a4ed5bc1c08
                                                  • Opcode Fuzzy Hash: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                  • Instruction Fuzzy Hash: F4018879654310AFE304EB78CC89F9B77A8FB84B00F448A1DF68D96290D775D8048761
                                                  Function 1001A100 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 1001A107
                                                  • CoCreateInstance.OLE32(100EACE0,00000000,00000001,100EACC0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A11F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInitializeInstance
                                                  • String ID: FriendlyName
                                                  • API String ID: 3519745914-3623505368
                                                  • Opcode ID: 66e595efa1f5612c210071dee90111c78dec33aabc564f56092dce953b27a62c
                                                  • Instruction ID: a483ef6e016667173818b6ae74308f15a9a9b41afdc33b466db5e1f0a45f223b
                                                  • Opcode Fuzzy Hash: 66e595efa1f5612c210071dee90111c78dec33aabc564f56092dce953b27a62c
                                                  • Instruction Fuzzy Hash: 97310674244202AFD604CF65CC88F5BB7E8FF89714F148958F549DB250DB74E88A8B62
                                                  Function 10009C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000000), ref: 10009C85
                                                  • FindClose.KERNEL32(00000000), ref: 10009D07
                                                  • CloseHandle.KERNEL32(?), ref: 10009D19
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10009D31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileFind$CreateFirstHandle
                                                  • String ID: p
                                                  • API String ID: 3283578348-2181537457
                                                  • Opcode ID: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                  • Instruction ID: 2b1597b52ddb8eafb0e91e12b29208ebd2643c3ea00a9cd01ad1c39fb074611e
                                                  • Opcode Fuzzy Hash: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                  • Instruction Fuzzy Hash: 7631BC719087019BF324DF28CC45B8FB6D6EBC53A0F25461EF1AA873D4D634D4458B41
                                                  Function 1007FAF0 Relevance: 8.6, Strings: 6, Instructions: 1084COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • *** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100802CC
                                                  • *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 10080402
                                                  • *** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100806E0
                                                  • IVOP, xrefs: 100802F0
                                                  • *** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100804BE
                                                  • *** END, xrefs: 1008083B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** END$*** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$IVOP
                                                  • API String ID: 0-2073594325
                                                  • Opcode ID: bd075c5b82562bcdd17865e7b3567cc286ae3052d9d3151d7098e9029afea3dc
                                                  • Instruction ID: 25a46a86ab63f6e0888d695531c25f8f022c1c995c94212cc85fea5cb882b4f1
                                                  • Opcode Fuzzy Hash: bd075c5b82562bcdd17865e7b3567cc286ae3052d9d3151d7098e9029afea3dc
                                                  • Instruction Fuzzy Hash: 96A226B5A042889FDB68CF18C881BEA77E5FF89344F10861DFD898B351D774AA41CB91
                                                  Function 10023650 Relevance: 6.1, APIs: 4, Instructions: 55networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: bindsocket
                                                  • String ID:
                                                  • API String ID: 3370621091-0
                                                  • Opcode ID: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                  • Instruction ID: 8e805546ef113c3ac3a2f35078ac83ca8a84d9fad177171d366f9001e7ac871c
                                                  • Opcode Fuzzy Hash: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                  • Instruction Fuzzy Hash: E8116DB4814311AFE300DF38D8856EABBE4FF89318F444A1DF49CC7290E3B58A458B96
                                                  Function 100270F0 Relevance: 6.0, APIs: 4, Instructions: 47processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                  • Process32First.KERNEL32(00000000,?), ref: 10027112
                                                  • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                    • Part of subcall function 10026F40: CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,?,00000074), ref: 10026F67
                                                    • Part of subcall function 10026F40: Module32First.KERNEL32(00000000,00000000), ref: 10026F7C
                                                    • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026F9B
                                                    • Part of subcall function 10026F40: Module32Next.KERNEL32(00000000,00000000), ref: 10026FA7
                                                    • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026FB9
                                                    • Part of subcall function 10026F40: CloseHandle.KERNEL32(00000000), ref: 10026FC4
                                                  • Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFirstHandleModule32NextProcess32SnapshotToolhelp32lstrcmpi
                                                  • String ID:
                                                  • API String ID: 1584622316-0
                                                  • Opcode ID: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                  • Instruction ID: b3f5742757dc67417d80ccb19e15a7cf549f2a7c7405ea7f21a0163c39de1ff2
                                                  • Opcode Fuzzy Hash: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                  • Instruction Fuzzy Hash: 38F0A4B75002116AE750D764FC82EBB76ECEF84790F864529FD4886141EB29DD1482F2
                                                  Function 1002E040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: exitfprintf
                                                  • String ID: %s
                                                  • API String ID: 4243785698-620797490
                                                  • Opcode ID: 345a7cf5f18d2d7fa632badac4d6067782a62016b391a9140fa88cd01a136958
                                                  • Instruction ID: b51228288a7427c37f249211d207877ecb9812a7cef74ead0a6c9cec74af6a27
                                                  • Opcode Fuzzy Hash: 345a7cf5f18d2d7fa632badac4d6067782a62016b391a9140fa88cd01a136958
                                                  • Instruction Fuzzy Hash: 6AE06D3E800111AFE200EBA4EC45EAFB7B8FF89305F448865F54CA7216D735E90987A6
                                                  Function 100174C0 Relevance: 4.7, APIs: 3, Instructions: 166keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000000), ref: 1001750C
                                                  • BlockInput.USER32(?,?,?,00000000), ref: 10017528
                                                  • BlockInput.USER32(?), ref: 100175D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BlockInput
                                                  • String ID:
                                                  • API String ID: 3456056419-0
                                                  • Opcode ID: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                  • Instruction ID: 7c35041cbc989ced744e84bc2fe7d25f999f3a5f95f372f905baf80f1d985716
                                                  • Opcode Fuzzy Hash: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                  • Instruction Fuzzy Hash: 8E51F737B485849BC714DF98A452BEEFB65FB85621F0082AFE95987741CB366410C7D0
                                                  Function 10009B60 Relevance: 4.6, APIs: 3, Instructions: 76fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100089F0: lstrlenA.KERNEL32(?), ref: 10008A21
                                                    • Part of subcall function 100089F0: malloc.MSVCRT ref: 10008A29
                                                    • Part of subcall function 100089F0: lstrcpyA.KERNEL32(00000000,?), ref: 10008A41
                                                    • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A6D
                                                    • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A8B
                                                    • Part of subcall function 100089F0: GetFileAttributesA.KERNEL32(00000000), ref: 10008ACF
                                                    • Part of subcall function 100089F0: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10008ADC
                                                    • Part of subcall function 100089F0: GetLastError.KERNEL32 ref: 10008AE6
                                                    • Part of subcall function 100089F0: free.MSVCRT ref: 10008B44
                                                  • FindFirstFileA.KERNEL32(?,?,00000041,00000000,00000000,00000001,?,?,00000000,00000065), ref: 10009BDA
                                                  • FindClose.KERNEL32(00000000,0000006D,?,00000000,00000065), ref: 10009C06
                                                  • FindClose.KERNEL32(00000000,?,00000000,00000065), ref: 10009C21
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CharCloseFileNext$AttributesCreateDirectoryErrorFirstLastfreelstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 887710168-0
                                                  • Opcode ID: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                  • Instruction ID: 7edccb4fe516f4dcd3f53cbb636c582056df7d6c9d487251626477ac035d64a7
                                                  • Opcode Fuzzy Hash: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                  • Instruction Fuzzy Hash: FC11F3367001104BE714DB24DC91BFAB3D5EB89360F04063AFE1ACB2D6CA776D45C2A4
                                                  Function 100209D0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                  • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                  • Instruction ID: f6f7157a8b3012e72d1b12e548f4c87b378eb29056a0154ccc3d0e26a5706136
                                                  • Opcode Fuzzy Hash: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                  • Instruction Fuzzy Hash: 9AF01D7515C380BFE340DB2889C4AABBBE8EBA4640FC45D4EF58943252D234D808CB27
                                                  Function 1000E540 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenEventLogA.ADVAPI32(00000000), ref: 1000E57C
                                                  • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000E587
                                                  • CloseEventLog.ADVAPI32(00000000), ref: 1000E58A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$ClearCloseOpen
                                                  • String ID:
                                                  • API String ID: 1391105993-0
                                                  • Opcode ID: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                  • Instruction ID: e2617011e296939ca9cc499396a789e41a2db0335649869ff5bc3c2fc59dee1f
                                                  • Opcode Fuzzy Hash: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                  • Instruction Fuzzy Hash: B8F0C271504755DBD300DF09CC80B4BBBE8FB88340F800D09F954A7201E775AE088BA6
                                                  Function 10010640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 10010656
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3672536310-3733053543
                                                  • Opcode ID: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                  • Instruction ID: 8bb9d6b82e749448676f30d8a34e8541df49bcb33f5f773f867f71790e701dd0
                                                  • Opcode Fuzzy Hash: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                  • Instruction Fuzzy Hash: E9C01279540B0C2BD450DB509C87F4A32549B24705F544810F7145D1C1EAB9B454497E
                                                  Function 100945E0 Relevance: 3.3, Strings: 2, Instructions: 786COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 2$?
                                                  • API String ID: 0-2669683831
                                                  • Opcode ID: 82d0a23524c8e639fe612ce29f0b0a327bed8ec205d1f2a73d9b6a9962b00d97
                                                  • Instruction ID: e3216f6868f9e4cf5f6781065e10e0d9461c84bc6dce7621e4154a7730d0a26f
                                                  • Opcode Fuzzy Hash: 82d0a23524c8e639fe612ce29f0b0a327bed8ec205d1f2a73d9b6a9962b00d97
                                                  • Instruction Fuzzy Hash: 1972D6B4604B429FD368CF29C890B9AF7E5FB88304F118A2DE59D87351EB30A955CF91
                                                  Function 1007E960 Relevance: 2.3, Strings: 1, Instructions: 1060COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: U,E
                                                  • API String ID: 0-4027942359
                                                  • Opcode ID: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                  • Instruction ID: 62788b8b9c83910406f6e107d4ec69dc7ae710b733b3debf393c051762315612
                                                  • Opcode Fuzzy Hash: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                  • Instruction Fuzzy Hash: 799279B5A002499FDB24CF28C881BEA77E5FF88344F50852EEA49CB351D734EA45CB95
                                                  Function 10083DB0 Relevance: 2.3, APIs: 1, Instructions: 1021COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf
                                                  • String ID:
                                                  • API String ID: 590974362-0
                                                  • Opcode ID: ff90f73474dabd82ae3067d476fcd8e7c0353b33501274f27f7b9a7cf42dc2d8
                                                  • Instruction ID: 5aa8e0581ca9c61f6fa59a3ea5278b0e339d6fb469f5b802416a7b005548d055
                                                  • Opcode Fuzzy Hash: ff90f73474dabd82ae3067d476fcd8e7c0353b33501274f27f7b9a7cf42dc2d8
                                                  • Instruction Fuzzy Hash: E872F779A00B045FD320DE16DC81BAB73D5EFC5310F11C42DEAAA87B92EAB4F9418795
                                                  Function 10096580 Relevance: 2.2, Strings: 1, Instructions: 914COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `
                                                  • API String ID: 0-2679148245
                                                  • Opcode ID: 67634c2c52ae4da3c090af6cdcece1f51e784655f4b8252d7771084186b7efcc
                                                  • Instruction ID: 5ba99edb4dc111c4c3f754275c391baa9eac253efeba611e3fe4600b19b7e26f
                                                  • Opcode Fuzzy Hash: 67634c2c52ae4da3c090af6cdcece1f51e784655f4b8252d7771084186b7efcc
                                                  • Instruction Fuzzy Hash: B37224B16087009FD358CF28CC85A6BB7E5FBC8304F54892DF99A87355EA74E901DB52
                                                  Function 10081AF0 Relevance: 2.2, Strings: 1, Instructions: 902COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                  • Instruction ID: 187d62c811851c58088b2f1c6dce946c8a0fd3b94e8cc69681fc47f369cecc54
                                                  • Opcode Fuzzy Hash: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                  • Instruction Fuzzy Hash: 5F824AB5A042459FC758CF18C880AAAFBE5FF88344F14866EE949CB356D770E981CF91
                                                  Function 10095A10 Relevance: 2.1, Strings: 1, Instructions: 899COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p
                                                  • API String ID: 0-2181537457
                                                  • Opcode ID: 224c8d5f358a7b6ef40d174852e6fea1c18b7104658d6185486e6c31f62c3a69
                                                  • Instruction ID: fe8cd2cc24421d6a9a7cee5e5788c892982403802447b05bf67885c1992b357f
                                                  • Opcode Fuzzy Hash: 224c8d5f358a7b6ef40d174852e6fea1c18b7104658d6185486e6c31f62c3a69
                                                  • Instruction Fuzzy Hash: 397223B16087019FD358CF28CC85A6BB7E5EBC8304F04892EF99A87351EB35E905DB52
                                                  Function 10091B30 Relevance: 2.0, Strings: 1, Instructions: 782COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P
                                                  • API String ID: 0-3110715001
                                                  • Opcode ID: 1744a71cc153f435a488135215ca316859ffb33d37d10a6ad281924961b10e09
                                                  • Instruction ID: d184077492bed8aef1c2b56622c036f2df93d33661324d6ff674df0f5cadea1b
                                                  • Opcode Fuzzy Hash: 1744a71cc153f435a488135215ca316859ffb33d37d10a6ad281924961b10e09
                                                  • Instruction Fuzzy Hash: 655238B56047019FD358CF28C885AABB7EAFBC8340F15892DF98A87351EB74E805CB51
                                                  Function 10080910 Relevance: 2.0, APIs: 1, Instructions: 486COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _ftol
                                                  • String ID:
                                                  • API String ID: 2545261903-0
                                                  • Opcode ID: 7a9bd9669acc6f9723b73846090dd6e66c1ecf8a2b571f2b7f2950442504dfaf
                                                  • Instruction ID: ce3ace6327e3203f5d2051b33f1549e90bcca54b4fbe323c781dd39a00036240
                                                  • Opcode Fuzzy Hash: 7a9bd9669acc6f9723b73846090dd6e66c1ecf8a2b571f2b7f2950442504dfaf
                                                  • Instruction Fuzzy Hash: 6A221974A043868FDB68CF18C490B9AB7E2FFC8304F11896EE9898B355D730E951CB91
                                                  Function 10097190 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p
                                                  • API String ID: 0-2181537457
                                                  • Opcode ID: c0112df73418a4f496818cd07d16fa3fdfad0c2254d9b3da0803b42da5236a41
                                                  • Instruction ID: f7052ab2a3d0824c41790045bc7bbe12662eb6fe58e132b7cacf9ba9d32faa16
                                                  • Opcode Fuzzy Hash: c0112df73418a4f496818cd07d16fa3fdfad0c2254d9b3da0803b42da5236a41
                                                  • Instruction Fuzzy Hash: D02224726047009FD358CF68C885AABB7E9FB88304F45891DF99EC7351EB74A905CB62
                                                  Function 10081090 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                  • Instruction ID: 1973868626951cbc4e1e6dbbbaae98c5aea718cf2aa9e198ecfd8e57a8fac991
                                                  • Opcode Fuzzy Hash: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                  • Instruction Fuzzy Hash: 4722F1B5A142059FCB48CF18C490A9ABBE5FF88310F558A6EFC49CB346D770E941CB91
                                                  Function 10058060 Relevance: .8, Instructions: 850COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                  • Instruction ID: f9911c3756e58d96d67ac0068ac05fe94daea12ae19a9087e13a65d9dc3f6b02
                                                  • Opcode Fuzzy Hash: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                  • Instruction Fuzzy Hash: 9F626D74600B428FD734CF29D980A26B7E1FF85650B158A2DE887D7B51D730F94ACBA1
                                                  Function 10037E10 Relevance: .7, Instructions: 684COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                  • Instruction ID: 752e0dd24e133d73b6f08329f2179d760a74bb4bde05081f5036a7f9d25ca0bd
                                                  • Opcode Fuzzy Hash: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                  • Instruction Fuzzy Hash: AE423A74504B468FC326CF18D480A6BB7F5FF89345F14496DE9868B712D731EA0ACB92
                                                  Function 100041D0 Relevance: .6, Instructions: 551COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                  • Instruction ID: 666f91e0f4e9b9f2dd51f1c7e6263b133853ce75cc250038ad35c0a21c5c6ed6
                                                  • Opcode Fuzzy Hash: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                  • Instruction Fuzzy Hash: 6B02F0B56087458BE704CF28D88071BB7E6EFC5294F46852CF88A87345EB35EE05C7A6
                                                  Function 10082D70 Relevance: .5, Instructions: 533COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                  • Instruction ID: 41471438a16cbbac6786139d1061e5c3017a9635662bae8005eac138925a0d7c
                                                  • Opcode Fuzzy Hash: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                  • Instruction Fuzzy Hash: CD3203B56042459FCB68CF28C880B9AB7E5FF88304F15866EED499B345D730EA41CF95
                                                  Function 100935E0 Relevance: .5, Instructions: 517COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28f74a478b9e56c454a2729459905cb1d28662fe90d563d355c94c2c2b461897
                                                  • Instruction ID: 4d71161d89cbbead2164ec4957e4dfeca612bfca0d3e2a666b1d05633a211095
                                                  • Opcode Fuzzy Hash: 28f74a478b9e56c454a2729459905cb1d28662fe90d563d355c94c2c2b461897
                                                  • Instruction Fuzzy Hash: B91219B56087419FD364CF58C880AABB7EAFBC8304F15892DF59A87354EB70E905CB52
                                                  Function 1003E318 Relevance: .5, Instructions: 463COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20b7cfe01caa3f4186f54ee0bd46686b24229b0d6bfff7e3f713d6b1973d67e9
                                                  • Instruction ID: 1a2f8e5215c28f0ed089b4e417405f415f18f762e39f11f2e1df00e997976450
                                                  • Opcode Fuzzy Hash: 20b7cfe01caa3f4186f54ee0bd46686b24229b0d6bfff7e3f713d6b1973d67e9
                                                  • Instruction Fuzzy Hash: 8B12E6A5E35FA741E783AAB854424A5F3607FEB140B06AB17FC9070C42FB3AD38E4254
                                                  Function 100373F0 Relevance: .5, Instructions: 457COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                  • Instruction ID: 6bf080dd21d2c418260dd11eed1b3b6311730e3ee8d8d0daa20e21ca440b09df
                                                  • Opcode Fuzzy Hash: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                  • Instruction Fuzzy Hash: 800257B4604B458FC326CF18C490A6BB7E5FF89305F154A6DE98A8B712D731F90ACB91
                                                  Function 1003BB90 Relevance: .4, Instructions: 446COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                  • Instruction ID: 029373d71355fbd2ad70396b17303df9a12dee90329dec291bf355f95b858a0e
                                                  • Opcode Fuzzy Hash: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                  • Instruction Fuzzy Hash: D9122874A093418FC315CF09D48094AB7E2FFCC359F598A6DE9885B326DB30B916CB96
                                                  Function 1003C412 Relevance: .4, Instructions: 435COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                  • Instruction ID: ace8e06d0a3442dc2e4d5d93a36c7dda4def718a55803d6bed4ad8f29c8fc085
                                                  • Opcode Fuzzy Hash: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                  • Instruction Fuzzy Hash: BB026C756087428FC709CF1AC490A5AFBE2FFC8319F19896DD9899B316DB31E906CB41
                                                  Function 10084DD0 Relevance: .4, Instructions: 422COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                  • Instruction ID: 64735ea465274e5fb1f8591c2231c0b85bce749390d1d6339555928da74c1d0a
                                                  • Opcode Fuzzy Hash: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                  • Instruction Fuzzy Hash: BFD11639B00B055FD724DE2ACC81BABB3D6EFC4310F00852DEA9B87B92D6B4F9418651
                                                  Function 1007ADD0 Relevance: .4, Instructions: 385COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97aafaa7d09f2a587d9b47b0a7b3b92ca9fa010e9f6a99fe67426401d4192c2e
                                                  • Instruction ID: 62b796718e84f24db96b20aa623b88a4f735824615e6ff2014f862d8e28d506b
                                                  • Opcode Fuzzy Hash: 97aafaa7d09f2a587d9b47b0a7b3b92ca9fa010e9f6a99fe67426401d4192c2e
                                                  • Instruction Fuzzy Hash: 0EE1F3B2A083954FD318CF28C89065ABBE1FBC4380F16867DE8D6DB351D678D949CB85
                                                  Function 1005AEA0 Relevance: .4, Instructions: 379COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                  • Instruction ID: d9b1ff911830af0539c7349bf08e3b2d9740b495c4966d40e324d81a2e3ecd1b
                                                  • Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                  • Instruction Fuzzy Hash: 52F1BEB65096418FC309CF18D4989E2BBE5EF98310B1F42FDC4499B362D332E985CB91
                                                  Function 100308D0 Relevance: .4, Instructions: 361COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                  • Instruction ID: 7bb6ed843fccb1d171a269f829f0da8c3387a7479521bb1172319b2c54a59b23
                                                  • Opcode Fuzzy Hash: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                  • Instruction Fuzzy Hash: 60D155B5A057468FC314CF09C890A5AF7E1FFC8354F158A2EE8999B311D730E946CB92
                                                  Function 1003E490 Relevance: .3, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                  • Instruction ID: 191fb6512ce3fe81ac62e8b205ff347e08eb9b5354047abb2973186291256276
                                                  • Opcode Fuzzy Hash: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                  • Instruction Fuzzy Hash: 52D1AE64926B0296D716CF38D082436B3A2FFF27147A4C75ED886B715AFB30E895C381
                                                  Function 1007E580 Relevance: .3, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc49b93a90eb42755b28ff9a1f4e157d09a1c2fb66e4d2f97c50c74f42bac02d
                                                  • Instruction ID: c9d9968e773ab0179434f71f20166d56fb7836a4f0aba6d95100071a75a33e44
                                                  • Opcode Fuzzy Hash: dc49b93a90eb42755b28ff9a1f4e157d09a1c2fb66e4d2f97c50c74f42bac02d
                                                  • Instruction Fuzzy Hash: 39C136716087468FD31CCF19C89156AFBE2FFC8704F048A2DE59A87354EB34A914CB89
                                                  Function 1005B420 Relevance: .3, Instructions: 297COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                  • Instruction ID: 1cefddefc1273a83d4783cd2495db2e7edfb8caec8dc97b4bcf5608fb9fa9477
                                                  • Opcode Fuzzy Hash: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                  • Instruction Fuzzy Hash: 8DD18A756092518FC319CF28E8D88E67BE5FF98710B1E42F8C9898B323D731A985CB55
                                                  Function 1003B210 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                  • Instruction ID: 721eaa63ce6458851d8aa1b9dc4c03e48d6a588ee79b546b769e2eb3cd3e4e7c
                                                  • Opcode Fuzzy Hash: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                  • Instruction Fuzzy Hash: 56C13E3560D3828FC308CF69C49055AFBE2BFCA208F49D97DE9D98B312D671A919CB45
                                                  Function 10035697 Relevance: .3, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                  • Instruction ID: ac40b97b19cf350deb4381199cebd45df556241ac8ef125ecfdd14d8ce777ac4
                                                  • Opcode Fuzzy Hash: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                  • Instruction Fuzzy Hash: 3CA1B334A087968FC709CF29848031ABBE2FFD9616F24C66DD8A58F299E771C905C781
                                                  Function 1003E470 Relevance: .3, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                  • Instruction ID: 5f98526eac24df5b1521ed8c3c60a8dea648e96a9abcffbfabeff445296a397c
                                                  • Opcode Fuzzy Hash: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                  • Instruction Fuzzy Hash: 4EC18BA4A2AF0596D7168F38D482536B3A1FFF17147A4C74AD8C6B715EFB20E4A1D280
                                                  Function 10059900 Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                  • Instruction ID: 8d182b711f86b2590d44b9e897d1d1c98bcbef0953a52f6730e8bedf5447d214
                                                  • Opcode Fuzzy Hash: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                  • Instruction Fuzzy Hash: F6916D32604B428FD729CF29C8914ABB7E2EF86344B69892DD5D787B11E731B849CB41
                                                  Function 10059DB0 Relevance: .3, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                  • Instruction ID: e70820d266a8dfc3c891c9c4e497ac63b67ceedcd589d3e7af91b45e671c8c89
                                                  • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                  • Instruction Fuzzy Hash: FB718533755A8207E71CCE3E8C612BAABD38FC621432ED87E94DAC7756EC79D41A5204
                                                  Function 100932B0 Relevance: .3, Instructions: 255COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27c135387e15843d5111bdeacdeb80c544cc66fa5b1e7e016b7e8428dd49fc97
                                                  • Instruction ID: 37a9a9593b3dc3555cfa8e56289a9d5074fe474d1c8ec2e397b83cc327960a0e
                                                  • Opcode Fuzzy Hash: 27c135387e15843d5111bdeacdeb80c544cc66fa5b1e7e016b7e8428dd49fc97
                                                  • Instruction Fuzzy Hash: 61914A756047059FD758CF28C881BABB7EAEBC8300F55992DF99AC7340EA30F9058B51
                                                  Function 1007E2D0 Relevance: .2, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5bed60060751f39adf9628b607899d39014c7b2f99b3987925e1250c265d70b
                                                  • Instruction ID: 9f11bce80a0ec17ae65470847eba7d25ade11d084938c03b16f53130ee7c7e33
                                                  • Opcode Fuzzy Hash: f5bed60060751f39adf9628b607899d39014c7b2f99b3987925e1250c265d70b
                                                  • Instruction Fuzzy Hash: 7B914A716093818FC318CF6DC89056AFBE2FFCE304F19863EE589C7365DA7599068A46
                                                  Function 1005BAB0 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                  • Instruction ID: 394e96dab5a0ad22cad07a8418f847d0fe22322e10ef68398779eb1422000efd
                                                  • Opcode Fuzzy Hash: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                  • Instruction Fuzzy Hash: 4E81BF327195A64BE708CF29DCE053BB7A3EB8D340F19883DC686D7356C931A91AC760
                                                  Function 100A8230 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                  • Instruction ID: 4e5fd15620c05232e311bf08b0a4888acbdfcfc8b05760d64ecdd7d941a19f93
                                                  • Opcode Fuzzy Hash: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                  • Instruction Fuzzy Hash: 67219373BF4E1B0EE344A9FCDC4A7A135C1D3A4715F198E38A119C72C0F5ACCA885250
                                                  Function 10025E80 Relevance: 315.5, APIs: 3, Strings: 207, Instructions: 466sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • atoi.MSVCRT(?), ref: 10025E9A
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                    • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                    • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • atoi.MSVCRT(?,80000002,?,?,00000004,?,00000000,00000000,00000000), ref: 10026908
                                                    • Part of subcall function 10014CA0: RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                  • Sleep.KERNEL32(000005DC), ref: 10026933
                                                    • Part of subcall function 10014CA0: RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcValue$#823Deleteatoi$Sleep
                                                  • String ID: $ $ $ $ $ $-$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$E$E$E$E$E$E$M$M$M$M$M$M$N$P$P$P$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$W$W$Y$Y$Y$Y$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$a$a$a$a$a$a$a$b$c$c$c$c$d$d$d$d$f$i$i$i$i$i$i$i$i$i$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$s$s$s$s$u$u$u$u$u$v$v$v$v$v$v$w$y
                                                  • API String ID: 3245547908-431623420
                                                  • Opcode ID: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                  • Instruction ID: 46da3d8f85b41806bff36dc6f8e690e7e2fa6d6d5cef91b77a25e2a54a4f965e
                                                  • Opcode Fuzzy Hash: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                  • Instruction Fuzzy Hash: 70524C2154D7C0DDE332C6689859BDBBED21BB3709F48489D92DC1B283C2BA4658C77B
                                                  Function 1001B720 Relevance: 299.7, APIs: 11, Strings: 160, Instructions: 425librarysleeploaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,759183C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • LoadLibraryA.KERNEL32 ref: 1001BA99
                                                  • GetProcAddress.KERNEL32 ref: 1001BB65
                                                  • GetProcAddress.KERNEL32 ref: 1001BDDC
                                                  • GetCurrentProcess.KERNEL32 ref: 1001BE73
                                                  • Sleep.KERNEL32(00000014), ref: 1001BEC5
                                                  • Sleep.KERNEL32(000003E8), ref: 1001BF4C
                                                  • CloseHandle.KERNEL32(?), ref: 1001BF9F
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFBC
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFC7
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFD5
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1001BFDC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$Close$AddressLibraryProc$LoadSleep$CurrentFreeModuleProcess
                                                  • String ID: .$.$.$2$2$2$3$3$3$A$A$A$A$A$A$B$B$C$C$D$D$D$D$E$E$E$E$E$E$G$I$I$I$K$L$N$N$O$P$P$P$P$Q$R$R$S$S$S$S$S$T$T$T$T$T$T$U$U$U$V$V$W$W$W$a$a$c$c$c$c$c$c$d$d$d$d$i$i$i$i$i$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$v$v$v$y$y
                                                  • API String ID: 2138834447-1109127159
                                                  • Opcode ID: 986803221d92b284a1ced20c5c8d8ce2802ba8e88640f4ae639c33b509c4433e
                                                  • Instruction ID: b92ea2c6ecc8dc9ed4b31073c573c3eaba9d3190629ecc8d5bf6861edb2dfcac
                                                  • Opcode Fuzzy Hash: 986803221d92b284a1ced20c5c8d8ce2802ba8e88640f4ae639c33b509c4433e
                                                  • Instruction Fuzzy Hash: CF32AF6040C7C4C9E332C7688848BDBBFD66BA6748F08499DE2CC4B282C7BA5558C777
                                                  Function 10005D20 Relevance: 206.9, APIs: 24, Strings: 94, Instructions: 416libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005D3C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D45
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005D55
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D58
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetPrivateProfileStringA), ref: 10005D6B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D6E
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 10005D81
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D84
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 10005D94
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D97
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 10005DA7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DAA
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 10005DBD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DC0
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcmpA), ref: 10005DD3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DD6
                                                  • strchr.MSVCRT ref: 100060F0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10006131
                                                  • wsprintfA.USER32 ref: 10006151
                                                  • #823.MFC42(00001000), ref: 100061B3
                                                  • #825.MFC42(?,?,?,00000000,?,?,00000000,?,?), ref: 1000638B
                                                  • #825.MFC42(00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006391
                                                  • #825.MFC42(00000000,00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006397
                                                  • #825.MFC42(00000000), ref: 100063DD
                                                    • Part of subcall function 10005A50: LoadLibraryA.KERNEL32 ref: 10005AA7
                                                    • Part of subcall function 10005A50: GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                    • Part of subcall function 10005A50: wsprintfA.USER32 ref: 10005B17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#825$wsprintf$#823FolderPathSpecialstrchr
                                                  • String ID: $ $ $%s\%s$.$.$C$C$D$D$Device$DialParamsUID$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetVersionExA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$PhoneNumber$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcmpA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                  • API String ID: 2391671045-4160613188
                                                  • Opcode ID: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                  • Instruction ID: ae3809650b471314dde33fff758c838472e2731737b5b0f95b3dee6920cb3e1a
                                                  • Opcode Fuzzy Hash: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                  • Instruction Fuzzy Hash: 77120A6150D3C4DEE322CB788848B9BBFD5AFE6748F08494DE1C847292C6BA9548C777
                                                  Function 10005440 Relevance: 180.5, APIs: 15, Strings: 88, Instructions: 262libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005461
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000546A
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005478
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000547B
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 1000548E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005491
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100054A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100054A4
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 100054B7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100054BA
                                                  • strchr.MSVCRT ref: 100057B9
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 100057F6
                                                  • wsprintfA.USER32 ref: 10005816
                                                  • #823.MFC42(00001000), ref: 1000583D
                                                  • #825.MFC42(00000000), ref: 1000589B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#823#825FolderPathSpecialstrchrwsprintf
                                                  • String ID: $ $ $%s\%s$.$.$C$C$D$D$GetPrivateProfileSectionNamesA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                  • API String ID: 1413152188-1163569440
                                                  • Opcode ID: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                  • Instruction ID: 0562570b42432492150a784315d896445768f268a1e3393a75b37121b429ab9d
                                                  • Opcode Fuzzy Hash: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                  • Instruction Fuzzy Hash: E4D1B26140D7C0DDE322C778849878BBFD66FA2748F08498DE1C84B293C6BA9658C777
                                                  Function 1001ACA0 Relevance: 164.8, APIs: 7, Strings: 87, Instructions: 319COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleLibraryLoadModuleProc
                                                  • String ID: .$.$.$.$:$A$AOr$C$E$F$H$I$I$I$I$I$I$I$O$O$R$T$U$W$a$a$a$a$at.$b$c$d$d$d$g$i$i$i$l$l$l$l$l$l$l$l$m$n$n$n$n$n$n$n$n$n$n$n$n$o$o$p$p$p$p$p$p$p$r$r$r$r$r$t$t$t$t$t$t$t$t$t$t$t$t$t$t
                                                  • API String ID: 310444273-3809768815
                                                  • Opcode ID: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                  • Instruction ID: 4c56c63e57b0a57d431be2d6ff2093808df29b32732bb1a27d8720569643267d
                                                  • Opcode Fuzzy Hash: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                  • Instruction Fuzzy Hash: E9E1E42150D3C0DDE332C238844879FBFD65BA2648F48499DE5C84B293C7BA9558D77B
                                                  Function 1001EA60 Relevance: 126.3, APIs: 6, Strings: 66, Instructions: 323threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,759183C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001ED7E
                                                  • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1001EDBD
                                                  • GetCurrentProcess.KERNEL32 ref: 1001EEEB
                                                  • GetCurrentThread.KERNEL32 ref: 1001EEF2
                                                  • GetCurrentProcess.KERNEL32(00000020), ref: 1001EF67
                                                  • GetCurrentThread.KERNEL32 ref: 1001EF6E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Current$ModuleProcessThread$AddressEnvironmentFileHandleLibraryLoadNameProcVariable
                                                  • String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$.$2$3$A$A$A$A$COMSPEC$D$F$K$L$N$P$P$R$R$S$T$T$a$a$a$b$c$d$d$d$h$h$i$i$i$i$l$l$l$m$m$o$o$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$y
                                                  • API String ID: 2038349478-1119942076
                                                  • Opcode ID: 490859674d05f5fa8cf34ac90298807cd5a94b9c9337227081a1d025c53f5c08
                                                  • Instruction ID: bbed58369666b1c2bd5cd146773a1f73191dac64ed8760fac5291f00d2832cff
                                                  • Opcode Fuzzy Hash: 490859674d05f5fa8cf34ac90298807cd5a94b9c9337227081a1d025c53f5c08
                                                  • Instruction Fuzzy Hash: 15E1292150C7C089E326C6788449B9FFFD56BE2748F084A5DE2D84B2D2CAFA9548C777
                                                  Function 10024BE0 Relevance: 114.1, APIs: 19, Strings: 46, Instructions: 328stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 10024C06
                                                  • WTSEnumerateSessionsA.WTSAPI32 ref: 10024C3B
                                                  • GetVersionExA.KERNEL32(?), ref: 10024C53
                                                    • Part of subcall function 10024A90: WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                    • Part of subcall function 10024A50: WTSQuerySessionInformationA.WTSAPI32(00000000,?,0000000A,?,?,10024ED1,?,?,?), ref: 10024A6F
                                                    • Part of subcall function 10024B40: WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                    • Part of subcall function 10024B40: WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F03
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F25
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F31
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F3A
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F46
                                                  • LocalSize.KERNEL32(00000000), ref: 10024F54
                                                  • LocalReAlloc.KERNEL32(00000000,00000000,00000042,?,?,?,?), ref: 10024F62
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F73
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F91
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FA7
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FCF
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FE5
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025006
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002501C
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002503D
                                                  • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 100250A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Local$AllocInformationQuerySession$Process$CurrentEnumerateFreeMemoryOpenSessionsSizeTokenVersion
                                                  • String ID: AtR$C$C$D$D$I$I$LoSvAtR$Q$RDI$SeDebugPrivilege$SvAtR$c$c$c$c$d$d$d$i$i$i$l$n$n$n$n$n$n$n$n$o$o$o$o$r$s$t$t$t$t$u$v$w$w$y
                                                  • API String ID: 3275454331-1820797497
                                                  • Opcode ID: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                  • Instruction ID: b1de97bb1e532192dcc96ff274dd48cc58c084c44de882cac167928afb279602
                                                  • Opcode Fuzzy Hash: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                  • Instruction Fuzzy Hash: 83E1053050C3C1CEE325CB28C484B9FBBE1AB96708F48495DE5C857352DBBA9909CB67
                                                  Function 10026A30 Relevance: 96.4, APIs: 1, Strings: 54, Instructions: 109processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exec
                                                  • String ID: &$&$&$&$/$/$1$2$3$4$5$6$:$a$a$a$a$a$c$c$d$d$d$g$g$g$g$i$i$i$l$l$m$n$n$n$n$o$o$o$p$r$r$r$r$r$u$u$u$u$u$u$v$y
                                                  • API String ID: 459137531-3041118241
                                                  • Opcode ID: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                  • Instruction ID: 7bc06bb267aba25a745494efeaf4f4d644bd4b710169c1d4aeb2a62eee067a6f
                                                  • Opcode Fuzzy Hash: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                  • Instruction Fuzzy Hash: 08510C2554E3C1DDE312C668918878FEFD21FB7648E48598DB1C81B393C2AA825CC777
                                                  Function 1000FBF0 Relevance: 93.0, APIs: 13, Strings: 40, Instructions: 217libraryloaderfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000FC8C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000FC95
                                                  • LoadLibraryA.KERNEL32(?,.23L), ref: 1000FCDE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000FCE1
                                                  • GetTickCount.KERNEL32 ref: 1000FD3E
                                                  • sprintf.MSVCRT ref: 1000FD4F
                                                  • GetTickCount.KERNEL32 ref: 1000FD8C
                                                  • sprintf.MSVCRT ref: 1000FD9D
                                                  • lstrcatA.KERNEL32(?,?), ref: 1000FDB3
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000FE19
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000FE20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCountLibraryLoadProcTicksprintf$CloseFileHandleWritelstrcat
                                                  • String ID: .$.23L$2$3$A$A$C$F$G$K$L$N$P$P$R$T$a$a$d$e$e$e$e$e$e$g$h$i$igu$m$n$o$p$p$r$s$t$t$t$u
                                                  • API String ID: 3729143920-1829843242
                                                  • Opcode ID: be69d7072731297b0b3e170cd7eb9345f74aa06f0dd775d95f5218c24336af5c
                                                  • Instruction ID: d6333924631afeb965d673ddae39e8c487648ef1f7016fef5eba0a33fe2752c1
                                                  • Opcode Fuzzy Hash: be69d7072731297b0b3e170cd7eb9345f74aa06f0dd775d95f5218c24336af5c
                                                  • Instruction Fuzzy Hash: 96916C3110C3C09AE312CB68D848B9BBFD5ABA6718F084A5DF6D4462D2D7BA950CC773
                                                  Function 10013B40 Relevance: 91.5, APIs: 38, Strings: 14, Instructions: 472networkstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strstr.MSVCRT ref: 10013BB7
                                                  • strstr.MSVCRT ref: 10013BCA
                                                  • strstr.MSVCRT ref: 10013BDF
                                                  • strncpy.MSVCRT ref: 10013C2B
                                                  • _itoa.MSVCRT ref: 10013C71
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10013C8A
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10013CB0
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013CBD
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013CED
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D00
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D03
                                                  • sprintf.MSVCRT ref: 10013D2E
                                                  • HttpSendRequestA.WININET(00000000,?,?,?), ref: 10013D66
                                                  • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 10013D82
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D93
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D96
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D99
                                                  • atol.MSVCRT ref: 10013DB2
                                                  • #823.MFC42(00000001,?,?), ref: 10013DC0
                                                  • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013DE8
                                                  • #825.MFC42(00000000), ref: 10013DF3
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E02
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E05
                                                  • InternetCloseHandle.WININET(?), ref: 10013E0C
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E24
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E27
                                                  • InternetCloseHandle.WININET(?), ref: 10013E2E
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E3E
                                                  • #823.MFC42(00000002), ref: 10013E4B
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E75
                                                  • #825.MFC42(00000000), ref: 10013E7C
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013E93
                                                  • #823.MFC42(00000001), ref: 10013E9F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013ECA
                                                  • #825.MFC42(00000000), ref: 10013ED1
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 10013EDF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                  • String ID: $/cgi-bin/qun_mgr/get_group_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$create$gc=%u&st=0&end=1999&sort=0&%s$gmr$join$p_skey$qun.qq.com$skey=
                                                  • API String ID: 3684279964-3639289013
                                                  • Opcode ID: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                  • Instruction ID: faa93913a6112bf75685c4331b660b6eedd4284dd9d5a7e5e4bfb64d0fa1d1b7
                                                  • Opcode Fuzzy Hash: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                  • Instruction Fuzzy Hash: 97D14876A043142BE310DA689C81FAB77DDEB84760F05463DFB09A72C1EB74ED0587A6
                                                  Function 10007A80 Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 423windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #356.MFC42 ref: 10007AA2
                                                  • #540.MFC42 ref: 10007AB6
                                                  • #540.MFC42 ref: 10007AC7
                                                  • #540.MFC42 ref: 10007AD8
                                                  • #540.MFC42 ref: 10007AE9
                                                    • Part of subcall function 10008080: #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                    • Part of subcall function 10008080: #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                    • Part of subcall function 10008080: #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                    • Part of subcall function 10011E20: #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                    • Part of subcall function 10011E20: #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                    • Part of subcall function 10011E20: #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                    • Part of subcall function 10011E20: #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                  • #858.MFC42 ref: 10007B2F
                                                  • #800.MFC42 ref: 10007B40
                                                  • #537.MFC42(*.*), ref: 10007B59
                                                  • #922.MFC42(?,?,00000000,*.*), ref: 10007B6E
                                                  • #858.MFC42(00000000,?,?,00000000,*.*), ref: 10007B80
                                                  • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007B90
                                                  • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007BA1
                                                  • #2770.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BB1
                                                  • #2781.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BCF
                                                  • #4058.MFC42 ref: 10007BEF
                                                  • #858.MFC42(?), ref: 10007C01
                                                  • #858.MFC42(?,?), ref: 10007C0E
                                                  • #858.MFC42(?,?,?), ref: 10007C1B
                                                  • #3178.MFC42(?,?,?,?), ref: 10007C8A
                                                  • #922.MFC42(?,?,00000000,?,?,?,?), ref: 10007C9D
                                                  • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CAF
                                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CBF
                                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CD0
                                                  • #1980.MFC42 ref: 10007CED
                                                  • #858.MFC42(?), ref: 10007CF6
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007D1E
                                                  • #922.MFC42(?,?,?), ref: 10007D2E
                                                  • #858.MFC42(00000000,?,?,?), ref: 10007D40
                                                  • #800.MFC42(00000000,?,?,?), ref: 10007D51
                                                  • #2770.MFC42(?,00000000,00000000,?,?,?), ref: 10007D61
                                                  • #2781.MFC42(?,00000000,00000000,?,?,?), ref: 10007D7F
                                                  • #4058.MFC42(?,00000000,00000000,?,?,?), ref: 10007D8C
                                                  • #4215.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007DAD
                                                  • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DC6
                                                  • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DE7
                                                  • #3310.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E22
                                                  • #3010.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E7F
                                                  • #3304.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007ED4
                                                  • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F33
                                                  • #800.MFC42(?,?,?,?,00000000,00000000,?,?,?), ref: 10007F58
                                                  • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F6A
                                                  • #941.MFC42(100FA614), ref: 10007F91
                                                  • #6883.MFC42(?,?), ref: 10007FA2
                                                  • #800.MFC42(?,?), ref: 10007FB3
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007FE1
                                                  • #800.MFC42 ref: 10008015
                                                  • #800.MFC42 ref: 10008026
                                                  • #800.MFC42 ref: 10008037
                                                  • #800.MFC42 ref: 10008048
                                                  • #668.MFC42 ref: 1000805C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#858$#3811$#540$#922$#2770#2781#3181#3324#4058#537Message$#1980#2614#3010#3178#3304#3310#356#4215#535#668#6883#860#940#941
                                                  • String ID: *.*$warning
                                                  • API String ID: 3130606840-3923866357
                                                  • Opcode ID: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                  • Instruction ID: b1e61bf16f4b2c14380c5a5ce74a3a62fa832d31a0b46feb69f6aa117d284303
                                                  • Opcode Fuzzy Hash: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                  • Instruction Fuzzy Hash: 42027F745083858BD354CF64C941FABBBE5FF98684F40492CF9DA43296EB34E909CB62
                                                  Function 1000E300 Relevance: 85.9, APIs: 9, Strings: 40, Instructions: 163libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$Eventfreemalloc
                                                  • String ID: .$0$2$3$A$A$C$D$G$K$L$N$P$P$R$S$T$W$\$a$a$a$c$d$f$h$i$l$l$l$m$n$o$p$t$t$t$t$t$u
                                                  • API String ID: 4197004350-898277365
                                                  • Opcode ID: 2c3a0603530f328a27061e7ef2e005e9cbed302183f30dfe61a54d0479010bab
                                                  • Instruction ID: 602051e4c15d0ae263632009933f159da553bc9aa47493433fa8a4b6ec865501
                                                  • Opcode Fuzzy Hash: 2c3a0603530f328a27061e7ef2e005e9cbed302183f30dfe61a54d0479010bab
                                                  • Instruction Fuzzy Hash: 2361596110C3C0DDE312D7A89848B8BBFD59BE6308F08499DF5C84B292C6BA9218C777
                                                  Function 10021B30 Relevance: 84.3, APIs: 24, Strings: 24, Instructions: 279libraryloadersleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32 ref: 10021B6B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021B78
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 10021B8C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021B8F
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 10021BDB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021BDE
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,esolC), ref: 10021C52
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C55
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 10021C65
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C68
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,DisconnectNamedPipe), ref: 10021C78
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C7B
                                                  • Sleep.KERNEL32(0000000A), ref: 10021C92
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10021CB2
                                                  • #823.MFC42 ref: 10021CC3
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 10021CD3
                                                  • GetCurrentProcessId.KERNEL32 ref: 10021CE7
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10021CFE
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10021D09
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021D10
                                                  • #825.MFC42(00000000), ref: 10021D29
                                                  • FreeConsole.KERNEL32 ref: 10021D3B
                                                  • Sleep.KERNEL32(0000000A), ref: 10021D43
                                                  • FreeConsole.KERNEL32 ref: 10021D49
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadProcess$Console$FreeHandleListSleep$#823#825CloseCurrentModuleOpenTerminate
                                                  • String ID: AttachConsole$C$DisconnectNamedPipe$F$KERNEL32.dll$S$TerminateProcess$TerminateThread$W$a$c$e$e$elgn$esolC$g$l$l$l$n$o$o$r$s
                                                  • API String ID: 708691324-3966567685
                                                  • Opcode ID: 4acc90a649982e3aedb2a66079b7d9c7ee7758a0dc820944897b91898660a95a
                                                  • Instruction ID: fe9642f753dd22a55e554f1462d43a8a3ea9f7acd4df13b4c4e1dfc8ca97fa94
                                                  • Opcode Fuzzy Hash: 4acc90a649982e3aedb2a66079b7d9c7ee7758a0dc820944897b91898660a95a
                                                  • Instruction Fuzzy Hash: CEB1B0746083949BDB20DF68CC84BDFBBE9AF95740F45481DF9889B241C7B5E904CBA2
                                                  Function 100134A0 Relevance: 80.8, APIs: 36, Strings: 10, Instructions: 348networkstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strstr.MSVCRT ref: 10013514
                                                  • strstr.MSVCRT ref: 10013527
                                                  • strstr.MSVCRT ref: 1001353C
                                                  • strncpy.MSVCRT ref: 10013588
                                                  • _itoa.MSVCRT ref: 100135CE
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 100135E7
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1001360D
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001361A
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 1001364A
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001365D
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013660
                                                  • sprintf.MSVCRT ref: 1001368B
                                                  • HttpSendRequestA.WININET(00000000,?,?,?), ref: 100136C3
                                                  • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 100136DF
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F0
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F3
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F6
                                                  • atol.MSVCRT ref: 1001370F
                                                  • #823.MFC42(00000001,?,?), ref: 1001371D
                                                  • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013745
                                                  • #825.MFC42(00000000), ref: 10013750
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001375F
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013762
                                                  • InternetCloseHandle.WININET(?), ref: 10013769
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013781
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013784
                                                  • InternetCloseHandle.WININET(?), ref: 1001378B
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 1001379B
                                                  • #823.MFC42(00000002), ref: 100137A8
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 100137D2
                                                  • #825.MFC42(00000000), ref: 100137D9
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 100137F0
                                                  • #823.MFC42(00000001), ref: 100137FC
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013827
                                                  • #825.MFC42(00000000), ref: 1001382E
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 1001383C
                                                  Strings
                                                  • /cgi-bin/qun_mgr/get_friend_list, xrefs: 100134DB
                                                  • HTTP/1.1, xrefs: 1001363E
                                                  • p_skey, xrefs: 100134FD
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 100134AF
                                                  • , xrefs: 10013503
                                                  • qun.qq.com, xrefs: 100134BB
                                                  • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10013685
                                                  • bkn=, xrefs: 1001354D
                                                  • POST, xrefs: 10013644
                                                  • skey=, xrefs: 10013521
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                  • String ID: $/cgi-bin/qun_mgr/get_friend_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$p_skey$qun.qq.com$skey=
                                                  • API String ID: 3684279964-1003693118
                                                  • Opcode ID: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                  • Instruction ID: a6aeb5833008578cdead13e838f5760d2c554c937ea3091131f56ecc18512e5b
                                                  • Opcode Fuzzy Hash: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                  • Instruction Fuzzy Hash: 4FA137726003146BE314DA788C41FAB7BDDFBC4320F044629FA59E72C0DEB4A9058B95
                                                  Function 10008600 Relevance: 79.0, APIs: 2, Strings: 43, Instructions: 223fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,759183C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • DeleteFileA.KERNEL32(00000001,?,00000001,00000001,?,00000001,00000001,00000001), ref: 1000874C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressDeleteFileHandleLibraryLoadModuleProc
                                                  • String ID: .$2$3$4$4$6$6$E$E$F$K$L$N$R$R$R$R$W$W$a$c$d$d$i$i$i$l$l$n$n$o$o$o$open$r$r$r$s$t$t$v$w$w
                                                  • API String ID: 357481036-173339048
                                                  • Opcode ID: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                  • Instruction ID: b2534d6be5788ef259c749724872d3f87395c9b78c17d96c33da540c7ee2e7e0
                                                  • Opcode Fuzzy Hash: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                  • Instruction Fuzzy Hash: 5B91291010C3C0D9E356C668848871FBED6ABA668CF48598DB1C95B287C6BF961CC77B
                                                  Function 10022070 Relevance: 70.3, APIs: 34, Strings: 6, Instructions: 329librarysleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(KERNEL32.dll,AttachConsole), ref: 10022086
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10022093
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 100220A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100220A8
                                                  • Sleep.KERNEL32(0000000A), ref: 100220F7
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10022117
                                                  • #823.MFC42 ref: 1002212C
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1002213C
                                                  • GetCurrentProcessId.KERNEL32 ref: 1002215C
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10022173
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10022182
                                                  • CloseHandle.KERNEL32(00000000), ref: 10022185
                                                  • #825.MFC42(00000000), ref: 100221B0
                                                  • FreeConsole.KERNEL32 ref: 100221BE
                                                  • Sleep.KERNEL32(0000000A), ref: 100221C6
                                                  • FreeConsole.KERNEL32 ref: 100221CC
                                                    • Part of subcall function 10010BA0: SetEvent.KERNEL32(?,10017547), ref: 10010BA4
                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1002233F
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10022383
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100223A7
                                                  • CloseHandle.KERNEL32(00000000), ref: 100223B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Console$Handle$AddressCloseFileFreeListProcSleep$#823#825CreateCurrentDirectoryEventLibraryLoadModuleOpenSystemTerminateWrite
                                                  • String ID: AttachConsole$Control-C^C$GetMP privilege::debug sekurlsa::logonpasswords exit$KERNEL32.dll$WriteFile$\GetMP.exe
                                                  • API String ID: 1461520672-3309419308
                                                  • Opcode ID: f95487bccf66c70f92e5032dc02a339e4155c4ac31c217c197b1f4b72327cef6
                                                  • Instruction ID: b6a468493ad061ac8482178f87bbf4ac4eb3df5424be1a0e31324b9b33912b63
                                                  • Opcode Fuzzy Hash: f95487bccf66c70f92e5032dc02a339e4155c4ac31c217c197b1f4b72327cef6
                                                  • Instruction Fuzzy Hash: 73A12875600315ABE710EB64EC81FEB77D4FB84350F450629FE49AB280DA35EC49CBA2
                                                  Function 10013860 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 271networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET ref: 100138CF
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 100138F5
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013902
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013932
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013945
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013948
                                                  Strings
                                                  • HTTP/1.1, xrefs: 10013926
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 1001386F
                                                  • qun.qq.com, xrefs: 10013878
                                                  • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 1001396D
                                                  • /cgi-bin/qun_mgr/search_group_members, xrefs: 10013898
                                                  • , xrefs: 100138BC
                                                  • POST, xrefs: 1001392C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$Open$ConnectHttpRequest
                                                  • String ID: $/cgi-bin/qun_mgr/search_group_members$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$qun.qq.com
                                                  • API String ID: 3078302290-2376693140
                                                  • Opcode ID: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                  • Instruction ID: ea8ef1183b0b68027489ada680c689866708b7ee025198ed557c1e0327d219cf
                                                  • Opcode Fuzzy Hash: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                  • Instruction Fuzzy Hash: 197119366447147BF310EB689C45FAB77DDFB84720F184629F749A72C0DAB4A9048BA2
                                                  Function 1002C150 Relevance: 64.9, APIs: 12, Strings: 25, Instructions: 154libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1002C1EF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C1F8
                                                  • LoadLibraryA.KERNEL32(wininet.dll,InternetCloseHandle), ref: 1002C226
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C229
                                                  • LoadLibraryA.KERNEL32(wininet.dll,InternetOpenUrlA), ref: 1002C239
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C23C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: $($)$.$/$0$4$CreateFileA$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$KERNEL32.dll$M$WININET.dll$b$c$e$m$o$o$p$t$wininet.dll$z
                                                  • API String ID: 2574300362-3884860928
                                                  • Opcode ID: ca17e73f7c677f3fdb1655b1324f00eee7bf92543a9480fd308ae786b4850412
                                                  • Instruction ID: 006d952d8963fd2d8b900117ee8caa1c8225fa452f50328364137ca3976ac07f
                                                  • Opcode Fuzzy Hash: ca17e73f7c677f3fdb1655b1324f00eee7bf92543a9480fd308ae786b4850412
                                                  • Instruction Fuzzy Hash: 4F51916150C3C4AEE311DBA89C84B9FBFD99BD5248F844A1DF28857282C679D608877B
                                                  Function 1001DE40 Relevance: 64.9, APIs: 2, Strings: 35, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,759183C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetVersionExA.KERNEL32(?), ref: 1001DF7B
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  • ExitProcess.KERNEL32 ref: 1001E015
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressLoadProc$ExitFreeHandleModuleProcessVersion
                                                  • String ID: .$.$2$2$3$3$D$I$L$P$S$S$S$S$V$a$c$d$d$e$e$e$e$e$i$l$l$l$l$n$r$s$u$v$v
                                                  • API String ID: 1234256494-3470857448
                                                  • Opcode ID: 36da317328d6cc26efa9d1f20eee9a63af9a5724958b8fbcc2c9a88dd00b065d
                                                  • Instruction ID: faf3d8cbad892df49821192e38232370f2f3dc0b53dba95cfad8dee6dbcf8161
                                                  • Opcode Fuzzy Hash: 36da317328d6cc26efa9d1f20eee9a63af9a5724958b8fbcc2c9a88dd00b065d
                                                  • Instruction Fuzzy Hash: E651292140C3C1DDE312D7688898B5FBFE55BA6348F48499EF1C94A282C2BAC65CC777
                                                  Function 1000FED0 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 251servicesleepprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AttachConsole.KERNEL32(?), ref: 1000FEF3
                                                  • Sleep.KERNEL32(0000000A), ref: 1000FEFB
                                                  • AttachConsole.KERNEL32(?), ref: 1000FF05
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1000FF18
                                                  • #823.MFC42(00000000), ref: 1000FF29
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1000FF39
                                                  • GetCurrentProcessId.KERNEL32 ref: 1000FF43
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1000FF57
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000FF66
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000FF6D
                                                  • #825.MFC42(00000000), ref: 1000FF7E
                                                  • FreeConsole.KERNEL32 ref: 1000FF8C
                                                  • Sleep.KERNEL32(0000000A), ref: 1000FF94
                                                  • FreeConsole.KERNEL32 ref: 1000FF9A
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 1000FFA6
                                                  • CloseHandle.KERNEL32(?), ref: 10010006
                                                  • CloseHandle.KERNEL32(?), ref: 1001000E
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001002F
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 10010043
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010050
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010066
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010077
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001007A
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010087
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001008A
                                                  • GetCommandLineA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 100100C8
                                                  • CreateProcessA.KERNEL32(00000000,00000000), ref: 100100D1
                                                  • CloseHandle.KERNEL32(?), ref: 100100E4
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 100100FB
                                                  • CreateProcessA.KERNEL32 ref: 1001016C
                                                  • CloseHandle.KERNEL32(?), ref: 1001017F
                                                  • CloseHandle.KERNEL32(?), ref: 10010186
                                                  • ExitProcess.KERNEL32 ref: 1001018A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$Process$Service$Console$Open$AttachCreateFreeListSleepTerminate$#823#825CommandCurrentExitFileLineManagerModuleNameStart
                                                  • String ID: -inst$D$D
                                                  • API String ID: 2444995177-2453324352
                                                  • Opcode ID: f54e4074660f88b0bdae5fe990c320869930c9d88aaffbbe3879b9626df7e8b0
                                                  • Instruction ID: 98985605fcc703f9fdbef281bb8341be8c015c81e6291aeb734cef0fa070c5c2
                                                  • Opcode Fuzzy Hash: f54e4074660f88b0bdae5fe990c320869930c9d88aaffbbe3879b9626df7e8b0
                                                  • Instruction Fuzzy Hash: 9C81C271600316ABE700EB64CC84B7B77E9FF88790F054A2DFA4997694DB74EC018BA5
                                                  Function 10011AF0 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #535.MFC42(00000030,00000002,00000000,?,00000000), ref: 10011B2F
                                                  • #540.MFC42 ref: 10011B40
                                                  • #540.MFC42 ref: 10011B4E
                                                  • #6282.MFC42 ref: 10011B69
                                                  • #6283.MFC42 ref: 10011B72
                                                  • #941.MFC42(100FA644), ref: 10011B80
                                                  • #2784.MFC42(100FB4F0,100FA644), ref: 10011B8E
                                                  • #6662.MFC42(00000022,00000001,100FB4F0,100FA644), ref: 10011BB7
                                                  • #4278.MFC42(00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BD6
                                                  • #858.MFC42(00000000,00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BE5
                                                  • #4129.MFC42(?,00000000,100FB4F0,100FA644), ref: 10011C8B
                                                  • #858.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011C98
                                                  • #800.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011CA6
                                                  • #535.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CC2
                                                  • #858.MFC42(00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CFA
                                                  • #858.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D07
                                                  • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D10
                                                  • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D19
                                                  • #5710.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D32
                                                  • #858.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D41
                                                  • #800.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D4F
                                                  • #6282.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D58
                                                  • #2784.MFC42(100FB4F0,00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D66
                                                  • #535.MFC42(?,?,100FB4F0,100FA644), ref: 10011D8D
                                                  • #858.MFC42(00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DC5
                                                  • #858.MFC42(00000022,00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DD2
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011DE8
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011DF6
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011E07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #858$#800$#535$#2614#2784#540#6282$#4129#4278#5710#6283#6662#941
                                                  • String ID: /
                                                  • API String ID: 2746067309-2043925204
                                                  • Opcode ID: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                  • Instruction ID: 26f83c008789524febe6ecc07bb2f6c57f414736253c4046dad23ffb5fd3ab93
                                                  • Opcode Fuzzy Hash: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                  • Instruction Fuzzy Hash: 9F91B175008385AFC344DF64D591EABF7E5EF98214F804A1CF4A657292EB30FA49CB92
                                                  Function 10001700 Relevance: 59.6, APIs: 12, Strings: 22, Instructions: 127libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001717
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001720
                                                  • LoadLibraryA.KERNEL32 ref: 10001792
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001795
                                                  • LoadLibraryA.KERNEL32(user32.dll,GetMessageA), ref: 100017A5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017A8
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer), ref: 100017B6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017B9
                                                  • LoadLibraryA.KERNEL32(USER32.dll,TranslateMessage), ref: 100017C9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017CC
                                                  • LoadLibraryA.KERNEL32(USER32.dll,DispatchMessageA), ref: 100017DC
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: DispatchMessageA$F$GetMessageA$KERNEL32.dll$O$S$SetEvent$TranslateMessage$USER32.dll$W$WINMM.dll$a$b$c$g$j$l$n$o$r$user32.dll$waveInAddBuffer
                                                  • API String ID: 2574300362-3155383694
                                                  • Opcode ID: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                  • Instruction ID: ccfd42d412a131656b4a3d3b70f2aa919a29a5acdd925cac9141545cb71d5cde
                                                  • Opcode Fuzzy Hash: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                  • Instruction Fuzzy Hash: 4341C06050C384AAE310DBB98C48B8BBFD8AFD6758F040A1DF5C497281C679D648CB77
                                                  Function 1001E800 Relevance: 55.7, APIs: 1, Strings: 36, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,759183C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001EA4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$AddressCloseLibraryLoadModuleProc
                                                  • String ID: .$2$3$C$F$F$G$K$L$N$P$R$S$W$a$d$i$i$i$i$i$l$l$l$l$l$n$o$r$r$r$t$t$t$t$z
                                                  • API String ID: 1380958172-3142711299
                                                  • Opcode ID: 6748aa38af022bd289bb377d339d02cff14f785d1eaa90fdd08f0fe7178630b3
                                                  • Instruction ID: 946dff543b6e3595dbccf81cbd1d6d2ef272db180fb20987739b63d6b6b5eed2
                                                  • Opcode Fuzzy Hash: 6748aa38af022bd289bb377d339d02cff14f785d1eaa90fdd08f0fe7178630b3
                                                  • Instruction Fuzzy Hash: B771252114C3C0DDE342C6A88888B5FFFD55BA6748F48499DF2C85B292D2FA9548C77B
                                                  Function 10020C20 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 257filesleepmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C4A
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C5D
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C7A
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CA0
                                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(1011FA5C,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CDD
                                                  • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\4.txt,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000001,?,00000000), ref: 10020D06
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D1A
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000), ref: 10020D35
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000), ref: 10020D51
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D69
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42), ref: 10020D81
                                                  • Sleep.KERNEL32(000007D0,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D8E
                                                  • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DB0
                                                  • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DE3
                                                  • MessageBoxA.USER32(00000000,1011FA20,1011FA30,00000000), ref: 10020E05
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E14
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$File$#825Virtual$?find@?$basic_string@AllocCloseCreateEos@?$basic_string@FreeGrow@?$basic_string@HandleMessageReadSizeSleep
                                                  • String ID: C:\Users\Public\Documents\MM\4.txt$schtasks /Query /TN MM
                                                  • API String ID: 954268177-2491561334
                                                  • Opcode ID: 09f81e51de5b4e55a1266d7cd62fa590d29f505438a05952fa1a1ebd24a1ed83
                                                  • Instruction ID: 1511acb14b0776a9426427212b465bdbe5287b54f79b6b458a66aec0f56f7bcd
                                                  • Opcode Fuzzy Hash: 09f81e51de5b4e55a1266d7cd62fa590d29f505438a05952fa1a1ebd24a1ed83
                                                  • Instruction Fuzzy Hash: 58910235A41358ABEB14CBA4DC88BEEBFB5EF19710F540258F80AB72C2C7751A41CB65
                                                  Function 100216E0 Relevance: 47.6, APIs: 11, Strings: 16, Instructions: 331libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                    • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  • LoadLibraryA.KERNEL32 ref: 1002176D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021776
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 10021786
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021789
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreatePipe), ref: 10021799
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002179C
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetStartupInfoA), ref: 100217AC
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100217AF
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateProcessA), ref: 100217BF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100217C2
                                                  • WaitForInputIdle.USER32(?,000000FF), ref: 10021998
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$IdleInputWait
                                                  • String ID: C$CreatePipe$CreateProcessA$D$GetStartupInfoA$GetSystemDirectoryA$H$KERNEL32.dll$\cmd.exe$a$dnaH$n$o$s$x32$x64
                                                  • API String ID: 2019908028-49846795
                                                  • Opcode ID: b1f1badee60b7d2773f0297de975696fac9fcf4b16840679e5d0f2b90bffea1c
                                                  • Instruction ID: bfc150779effab5ea3d7964b63c8b7e3cbe5499f3e29779c1004ded5ec084d8e
                                                  • Opcode Fuzzy Hash: b1f1badee60b7d2773f0297de975696fac9fcf4b16840679e5d0f2b90bffea1c
                                                  • Instruction Fuzzy Hash: 3DC1AE75608384AFC724CF24C884B9FBBE5EFD9710F50492DF5889B280DBB4A945CB96
                                                  Function 1002AEC0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 309stringmemorycomCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32 ref: 1002AED3
                                                  • CoCreateInstance.OLE32(100B7A14,00000000,00000001,100B7A34,?), ref: 1002AEEC
                                                  • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AEFB
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AF92
                                                  • #823.MFC42(00000000), ref: 1002AFA5
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFC0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFDD
                                                  • #823.MFC42(00000000), ref: 1002AFED
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002B008
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 1002B016
                                                  • wsprintfA.USER32 ref: 1002B066
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B070
                                                  • lstrlenA.KERNEL32(?), ref: 1002B079
                                                  • lstrlenA.KERNEL32(?), ref: 1002B082
                                                  • LocalSize.KERNEL32(?), ref: 1002B094
                                                  • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 1002B0A2
                                                  • lstrlenA.KERNEL32(?), ref: 1002B0B1
                                                  • lstrlenA.KERNEL32(?), ref: 1002B0D8
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B0E7
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B103
                                                  • lstrlenA.KERNEL32(?), ref: 1002B116
                                                  • lstrlenA.KERNEL32(?), ref: 1002B134
                                                  • #825.MFC42(00000000), ref: 1002B17B
                                                  • #825.MFC42(?), ref: 1002B1C0
                                                  • CoUninitialize.OLE32 ref: 1002B1F5
                                                  • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 1002B203
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$ByteCharLocalMultiWide$Alloc$#823#825Time$CreateFileInitializeInstanceSizeSystemUninitializewsprintf
                                                  • String ID: %d-%d-%d %d:%d:%d
                                                  • API String ID: 1491319390-2068262593
                                                  • Opcode ID: c998fd0d85cb6a43e23119996f2a5db50d18672f6c4d10de8ba2c411afe397de
                                                  • Instruction ID: 700cb4fe50e5196b9883b7f983aa67218d51a5aa0f725b934c60704040cf3690
                                                  • Opcode Fuzzy Hash: c998fd0d85cb6a43e23119996f2a5db50d18672f6c4d10de8ba2c411afe397de
                                                  • Instruction Fuzzy Hash: 2CA1AF75208302ABD310CF24DC91B6BB7E9EF89710F944A28F995A7381DA75E8098792
                                                  Function 10023710 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 250networksynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(1012C508), ref: 1002371C
                                                  • LeaveCriticalSection.KERNEL32(1012C508), ref: 10023734
                                                  • malloc.MSVCRT ref: 1002374D
                                                  • malloc.MSVCRT ref: 10023756
                                                  • malloc.MSVCRT ref: 1002375F
                                                  • recv.WS2_32 ref: 100237C6
                                                  • send.WS2_32 ref: 10023846
                                                  • getpeername.WS2_32(?,?,?), ref: 1002387B
                                                  • inet_addr.WS2_32(00000000), ref: 10023888
                                                  • inet_addr.WS2_32(00000000), ref: 100238A2
                                                  • htons.WS2_32(?), ref: 100238AD
                                                  • send.WS2_32 ref: 100238EF
                                                  • CreateThread.KERNEL32(00000000,00000000,10023D00,?,00000000,?), ref: 1002392E
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1002393F
                                                    • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                    • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                    • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                    • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                    • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                  • send.WS2_32(?,?,00000008,00000000), ref: 10023990
                                                  • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 100239BD
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000008,00000000), ref: 100239CA
                                                    • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                  • closesocket.WS2_32(00000000), ref: 100239D9
                                                  • closesocket.WS2_32(?), ref: 100239DF
                                                  • free.MSVCRT ref: 100239E8
                                                  • free.MSVCRT ref: 100239EB
                                                  • free.MSVCRT ref: 100239F2
                                                  • free.MSVCRT ref: 100239F5
                                                    • Part of subcall function 10022E40: EnterCriticalSection.KERNEL32(1012C508), ref: 10022E6A
                                                    • Part of subcall function 10022E40: LeaveCriticalSection.KERNEL32(1012C508), ref: 10022E82
                                                    • Part of subcall function 10022E40: send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                    • Part of subcall function 10022E40: CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                    • Part of subcall function 10022E40: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSectionfreeinet_addrsend$CreateObjectSingleThreadWaitclosesocketmalloc$EnterLeavehtons$connectgethostbynamegetpeernamerecvsetsockoptsocket
                                                  • String ID: [
                                                  • API String ID: 3942976521-784033777
                                                  • Opcode ID: b64080b388e8d217343dfe969d227965d7579416a038b7c2edfdc2482ca0bb12
                                                  • Instruction ID: e8688c2d00ca7c65c9d36b22a345f6eec658f7699299d72b3e5fb85e497582c1
                                                  • Opcode Fuzzy Hash: b64080b388e8d217343dfe969d227965d7579416a038b7c2edfdc2482ca0bb12
                                                  • Instruction Fuzzy Hash: 9381F270608344AFE310DB64DC85B5BBBE8EFC9754F548A1EF58983390E7B1E8448B62
                                                  Function 10020810 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 150networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET(DownloadApp,00000001,00000000,00000000,00000000), ref: 1002082B
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CC1A3D8,1011F9C8,?,?,1002128D,?,00000001,?,?,00000001), ref: 10020846
                                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,80000000,00000000), ref: 10020871
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6CC1A3D8,1011F9B8,?,?,?,1002128D,?,00000001,?,?,00000001), ref: 1002088A
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(00000000,?,00000001), ref: 10020894
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 1002089A
                                                  • InternetCloseHandle.WININET(00000000), ref: 100208A4
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 100209B0
                                                  Strings
                                                  • DownloadApp, xrefs: 10020826
                                                  • https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt, xrefs: 1002081D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@D@std@@@0@InternetV10@$?endl@std@@D@std@@@1@OpenV21@@$CloseD@2@@0@@D@std@@HandleV?$allocator@V?$basic_string@
                                                  • String ID: DownloadApp$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                                                  • API String ID: 2470020359-224967001
                                                  • Opcode ID: ad3ce8b31274e67954fd6a37d90417a891621fb0744e36309fb1c2d0afbcec6d
                                                  • Instruction ID: 0ce6a5d251b76327a90a7f4cff9c2f8857609bfeed3971df305265b4b3698adb
                                                  • Opcode Fuzzy Hash: ad3ce8b31274e67954fd6a37d90417a891621fb0744e36309fb1c2d0afbcec6d
                                                  • Instruction Fuzzy Hash: B741E439600315BBF210EB74DC85FDB37ECFB48B51F480619FE48E6191D674A9048B65
                                                  Function 100015A0 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 132libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7591F550), ref: 100015B9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7591F550), ref: 100015D2
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7591F550), ref: 100015E5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7591F550), ref: 100015F8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7591F550), ref: 10001609
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7591F550), ref: 1000161C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7591F550), ref: 1000162F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CreateThread$KERNEL32.dll$ResumeThread$WINMM.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                                                  • API String ID: 2574300362-1356117283
                                                  • Opcode ID: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                  • Instruction ID: 9f0f930b95cd2c35929b0060be92cf7d2e31dda6e2d7e4543e4cf746f9a0d286
                                                  • Opcode Fuzzy Hash: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                  • Instruction Fuzzy Hash: 97414CB5900308ABDB10EFA5DC88E9BBBA8EF89350F15095AFA4497201D739E545CBA1
                                                  Function 10002060 Relevance: 39.2, APIs: 26, Instructions: 212memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,00000100), ref: 1000206D
                                                  • GlobalLock.KERNEL32(00000000), ref: 1000208C
                                                  • GlobalFree.KERNEL32(00000000), ref: 10002099
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Global$AllocFreeLock
                                                  • String ID:
                                                  • API String ID: 1811133220-0
                                                  • Opcode ID: f61c1176c89479d409d276e9d01350cc25a0f24a23cf741e919260bfb79f58ed
                                                  • Instruction ID: eabe10a018facad977e6e685057711bf465a6e29f6a24822a84821841cd6eb76
                                                  • Opcode Fuzzy Hash: f61c1176c89479d409d276e9d01350cc25a0f24a23cf741e919260bfb79f58ed
                                                  • Instruction Fuzzy Hash: 6071B0B6610305ABD310CF54CC89F9AB3B4FF54714F569608E608AF2B1E3B4E549C7AA
                                                  Function 100211C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 200windowfilesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _access.MSVCRT ref: 100211E6
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1002121E
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 10021244
                                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt,?,?,00000001), ref: 10021276
                                                  • #825.MFC42(?,?,00000001), ref: 100212AC
                                                  • #825.MFC42(?,?,00000001), ref: 100212D9
                                                  • Sleep.KERNEL32(000000C8), ref: 100212E6
                                                  • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\7.txt,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10021301
                                                  • MessageBoxA.USER32(00000000,1011FA20,1011FA30,00000000), ref: 1002131C
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 10021328
                                                  • MessageBoxA.USER32(00000000,1011FA0C,1011FA30,00000000), ref: 10021343
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 10021358
                                                  • MessageBoxA.USER32(00000000,1011F9FC,1011FA30,00000000), ref: 10021375
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10021384
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021394
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 100213AC
                                                  • CloseHandle.KERNEL32(00000000), ref: 100213EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@FileMessageU?$char_traits@V?$allocator@$#825CloseHandleVirtual$?assign@?$basic_string@AllocCreateEos@?$basic_string@FreeGrow@?$basic_string@ReadSizeSleepV12@_access
                                                  • String ID: C:\Users\Public\Documents\MM\7.txt$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt$runas
                                                  • API String ID: 1859234541-2290419671
                                                  • Opcode ID: 7f0ce29b31511974f61ca1a93a4056a3a2825c9ca48fc2209cbce138f3a3d1be
                                                  • Instruction ID: 194f4b572d3a728d2ddb47e281496e1833fdeb7b9dc3a5154744e477c14811c3
                                                  • Opcode Fuzzy Hash: 7f0ce29b31511974f61ca1a93a4056a3a2825c9ca48fc2209cbce138f3a3d1be
                                                  • Instruction Fuzzy Hash: 53612678A04264ABD714CBB8DC89BDEBBB4FF29710F500229F909B72C0CB741A45CB64
                                                  Function 10005310 Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 110libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                  • LoadLibraryA.KERNEL32 ref: 10005386
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                  • LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: .23$2$3$ConvertSidToStringSidA$D$FreeLibrary$I$IsValidSid$L$_RasDefaultCredentials#0$LookupAccountNameA$P$V$kernel32.dll
                                                  • API String ID: 2574300362-2447002180
                                                  • Opcode ID: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                  • Instruction ID: 223027d79037198c63e6ca2b5f055af27ccc184e3b8335a544396f1f5ed8738e
                                                  • Opcode Fuzzy Hash: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                  • Instruction Fuzzy Hash: D631A472108385AED300DB68DC44AEFBFD8EFD5255F440A5EF58482241D7A9D60C8BB3
                                                  Function 10008110 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 156windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #354.MFC42(?,0000000C,?,?,?,?,?,?,00000000), ref: 10008140
                                                  • #5186.MFC42 ref: 1000815A
                                                  • #665.MFC42 ref: 1000816F
                                                  • #540.MFC42(?), ref: 1000818F
                                                  • #537.MFC42(?,?), ref: 1000819E
                                                  • #4204.MFC42(?,?), ref: 100081DA
                                                  • #2915.MFC42(00000080,?,?), ref: 100081EA
                                                  • #5442.MFC42(00000000,?,00000080,?,?), ref: 10008231
                                                  • #5572.MFC42(00000000,00000000,?,00000080,?,?), ref: 10008240
                                                  • #6874.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 1000824B
                                                  • #4204.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 10008254
                                                  • #2764.MFC42(00000000,00000000,00000000,00000000,?,00000080,?,?), ref: 10008262
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 100082AA
                                                  • #1979.MFC42(00000000,?,0000000C,?,?,?,?,?,?,00000000), ref: 100082C2
                                                  • #800.MFC42 ref: 100082D0
                                                  • #800.MFC42 ref: 100082DE
                                                  • #665.MFC42 ref: 100082EF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #4204#665#800$#1979#2764#2915#354#5186#537#540#5442#5572#6874Message
                                                  • String ID: $warning
                                                  • API String ID: 2155908909-2294955047
                                                  • Opcode ID: f1ae901bacc49b44c3eb4158cf4eb01a346422ca08a816317cc0900979dd79ba
                                                  • Instruction ID: e0aaeec7e2b7d1167d156ef47cb43e21b75368a0a06e4c2e4974d39bb2d8ba31
                                                  • Opcode Fuzzy Hash: f1ae901bacc49b44c3eb4158cf4eb01a346422ca08a816317cc0900979dd79ba
                                                  • Instruction Fuzzy Hash: AF51E0751087459FD348DF64D991B9BB7E1FF94710F800A2DF99693285DB30AE08CB92
                                                  Function 1001E440 Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 143filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                  • GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                  • sprintf.MSVCRT ref: 1001E599
                                                  • WriteFile.KERNEL32 ref: 1001E5EE
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E5F5
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFileLibraryLoadProc$CloseCreateHandleLocalTimeWritesprintf
                                                  • String ID: $-$4$:$C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                  • API String ID: 694383593-1605913938
                                                  • Opcode ID: e3abec9d46ba17b0724a3c17d934a8e6752bdedbad762670d6d6ddcfec85a228
                                                  • Instruction ID: 8fcdc3d8b052a8db140029308cff98f5616bb889fbb2d53ba99603f5eb05f638
                                                  • Opcode Fuzzy Hash: e3abec9d46ba17b0724a3c17d934a8e6752bdedbad762670d6d6ddcfec85a228
                                                  • Instruction Fuzzy Hash: 58516F7110D3C09EE311CB28C844B9BBFD5ABEA308F484A5DF5D967292C6B59608CB67
                                                  Function 10009F00 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10007940: #541.MFC42(?,?,?,10097D2B,000000FF), ref: 10007960
                                                    • Part of subcall function 10007940: #540.MFC42(?,?,?,10097D2B,000000FF), ref: 10007970
                                                  • #540.MFC42(?,?,00000000,00000065), ref: 10009F4E
                                                  • #540.MFC42 ref: 10009F5F
                                                  • #540.MFC42 ref: 10009F70
                                                  • #2614.MFC42 ref: 10009F81
                                                  • #860.MFC42(*.*), ref: 10009F8F
                                                  • #3811.MFC42(?,*.*), ref: 10009FB5
                                                  • #3811.MFC42(?,?,*.*), ref: 10009FC5
                                                  • #3811.MFC42(?,?,?,*.*), ref: 10009FD5
                                                  • #3811.MFC42(?,?,?,?,*.*), ref: 10009FE5
                                                  • #3811.MFC42(?,?,?,?,?,*.*), ref: 10009FF5
                                                  • #3811.MFC42(?,?,?,?,?,?,*.*), ref: 1000A005
                                                  • #860.MFC42(?,?,?,?,?,?,?,*.*), ref: 1000A033
                                                  • #2818.MFC42(?,*%s*,?,?,?,?,?,?,?,?,*.*), ref: 1000A04A
                                                  • #860.MFC42(?,?,00000000,00000065), ref: 1000A097
                                                  • #800.MFC42 ref: 1000A0D2
                                                  • #800.MFC42 ref: 1000A0E3
                                                  • #800.MFC42 ref: 1000A0F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #3811$#540$#800#860$#2614#2818#541
                                                  • String ID: *%s*$*.*
                                                  • API String ID: 185796673-1558234275
                                                  • Opcode ID: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                  • Instruction ID: ee2751bb99efb5b8e8624e7515bc667b61434bbdc0d3475f74e87a486019deaf
                                                  • Opcode Fuzzy Hash: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                  • Instruction Fuzzy Hash: 9B5146754083858FC325CFA4C591AABFBE5FFD9700F840A2DB59983292DB74A508CB63
                                                  Function 1002C6A0 Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 94libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                  • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                  • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                  • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1002C750
                                                  • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1002C758
                                                  • CloseHandle.KERNEL32(?), ref: 1002C76A
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1002C77B
                                                  • FreeLibrary.KERNEL32(?), ref: 1002C786
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                  • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll
                                                  • API String ID: 2887716753-1648388921
                                                  • Opcode ID: 27f722dc4208c85623636bf94d9932153249706bc9f53df19b1f3028b73d32ba
                                                  • Instruction ID: 63ddc8f13a80c98c50af38825c55de9939c4107908785040c1ff0134bdcf4850
                                                  • Opcode Fuzzy Hash: 27f722dc4208c85623636bf94d9932153249706bc9f53df19b1f3028b73d32ba
                                                  • Instruction Fuzzy Hash: 5B21B1716083056BD300DBB9DC88FAFBBE8EFC8654F444A1EF544A3240DB78DA448B62
                                                  Function 10001310 Relevance: 33.3, APIs: 4, Strings: 15, Instructions: 85libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001329
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001332
                                                  • LoadLibraryA.KERNEL32 ref: 100013A4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100013A7
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7591F550), ref: 100015B9
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7591F550), ref: 100015D2
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7591F550), ref: 100015E5
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7591F550), ref: 100015F8
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7591F550), ref: 10001609
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7591F550), ref: 1000161C
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7591F550), ref: 1000162F
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: F$KERNEL32.dll$O$S$SetEvent$W$a$b$c$g$j$l$n$o$r
                                                  • API String ID: 2574300362-1789360232
                                                  • Opcode ID: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                  • Instruction ID: 6d0500b828a3b4bacedf277e9e204f21e6ad90e68e93e0fee001a8a00f1ea147
                                                  • Opcode Fuzzy Hash: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                  • Instruction Fuzzy Hash: 7531C26110C3C08ED301DA6D9840B9BFFD59FA6658F090A9EE5C857343C6AAD61CC7BB
                                                  Function 10007230 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 211stringmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,00000001,00000001), ref: 1000724A
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 100072B9
                                                  • GetFileAttributesA.KERNEL32(?), ref: 100072C9
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100072F2
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 10007301
                                                  • malloc.MSVCRT ref: 1000730E
                                                  • ReadFile.KERNEL32(?,00000000,?,0000023D,00000000), ref: 10007335
                                                  • CloseHandle.KERNEL32(?), ref: 10007342
                                                  • free.MSVCRT ref: 10007378
                                                  • lstrlenA.KERNEL32(?), ref: 100073F9
                                                  • lstrlenA.KERNEL32(?), ref: 10007418
                                                  • lstrlenA.KERNEL32(?), ref: 10007427
                                                  • lstrlenA.KERNEL32(?), ref: 10007449
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10007457
                                                  • lstrlenA.KERNEL32(?), ref: 10007476
                                                  • lstrlenA.KERNEL32(?), ref: 10007493
                                                  • LocalReAlloc.KERNEL32(00000000,-00000002,00000042), ref: 100074A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$File$AllocLocal$AttributesCloseCreateFolderHandlePathReadSizeSpecialfreemalloc
                                                  • String ID: Version
                                                  • API String ID: 2101459175-1889659487
                                                  • Opcode ID: 888e3cd4f61a183a7bdcc57cae87bda2e6449d5a84a4b9969f7d5d2a1a82d378
                                                  • Instruction ID: 50175a7f71ee47e87c9703601210e5e83de23d683255c8417447b4e14873cd47
                                                  • Opcode Fuzzy Hash: 888e3cd4f61a183a7bdcc57cae87bda2e6449d5a84a4b9969f7d5d2a1a82d378
                                                  • Instruction Fuzzy Hash: 3661C5756002045BE728DB78CC99BEB3795FB88310F584B2DFE1ADB2D5DB74AA04C660
                                                  Function 100110D0 Relevance: 31.7, APIs: 21, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #2614.MFC42(00000000,?), ref: 100110F5
                                                  • #2614.MFC42(00000000,?), ref: 100110FD
                                                  • #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                  • #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                    • Part of subcall function 10012190: #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                  • #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                  • PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                  • #860.MFC42(00000000), ref: 1001117C
                                                  • PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                  • PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                  • _splitpath.MSVCRT ref: 100111C5
                                                  • #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                  • #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                  • #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                  • #858.MFC42 ref: 10011237
                                                  • #800.MFC42 ref: 1001124A
                                                  • #941.MFC42(?), ref: 10011259
                                                  • #858.MFC42 ref: 1001127E
                                                  • #800.MFC42 ref: 1001128E
                                                  • #860.MFC42(?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112A0
                                                  • #860.MFC42(?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112BE
                                                  • #6874.MFC42(0000002E,?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #860$#2614Path$#800#858Args$#6143#6874#6876#825#941RemoveSpacesUnquote_splitpath
                                                  • String ID:
                                                  • API String ID: 2691293456-0
                                                  • Opcode ID: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                  • Instruction ID: c1f90ecbaa6655960492b8b6f0b929a9783f598dd6715e5503ef59e830b1600e
                                                  • Opcode Fuzzy Hash: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                  • Instruction Fuzzy Hash: 9451C3792043459BC728CF64D951FEEB7E9EF88710F40461CF55A872C1DB70A609CB96
                                                  Function 100058B0 Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 105libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000590A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                  • LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                  • LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                  • free.MSVCRT ref: 10005993
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$free
                                                  • String ID: .23$2$3$D$I$L$_RasDefaultCredentials#0$LsaClose$LsaOpenPolicy$LsaRetrievePrivateData$P$V
                                                  • API String ID: 1540231353-1695543321
                                                  • Opcode ID: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                  • Instruction ID: b87623f99a44c4d79927182bb7b3290fde75b39c0de0aa94dcbdadddc74f4482
                                                  • Opcode Fuzzy Hash: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                  • Instruction Fuzzy Hash: 1A3192B610C3859ED300DB68DC84AABBBD8EBD4254F44491EF988D7241E675DA0DCBA3
                                                  Function 10025950 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 99registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteFreeLocalOpenwsprintf
                                                  • String ID: D$N$U$a$a$i$m$m$o$o$r$t$u
                                                  • API String ID: 321629408-3882932831
                                                  • Opcode ID: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                  • Instruction ID: 9e633f2ff59cbc2020f784f894622fe3b489b46e50fdb71083fa3736798a3e6b
                                                  • Opcode Fuzzy Hash: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                  • Instruction Fuzzy Hash: 4941256610E3C1DED302CB689484A8BBFD56BB6608F48499DF4C857342C6A9C61CC7BB
                                                  Function 10014CA0 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 181registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                  • RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Value$AddressDeleteLibraryLoadProc
                                                  • String ID: A$ADVAPI32.dll$E$ExA$K$RegCrkat$RegOpenKeyExA$x$y
                                                  • API String ID: 839562100-350676929
                                                  • Opcode ID: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                  • Instruction ID: 1ed5652b7448f0d279fc009ec0fc7650b7380c8c77e483b0f181bc9d886ff7ae
                                                  • Opcode Fuzzy Hash: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                  • Instruction Fuzzy Hash: 60516F71A04289AEDB00DBA8CC84FEF7BB8EB99754F054109F604AB291DB74E940CB60
                                                  Function 1000A130 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 116stringsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #540.MFC42 ref: 1000A14F
                                                  • #540.MFC42 ref: 1000A163
                                                  • #860.MFC42(00000000), ref: 1000A1B1
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011005
                                                    • Part of subcall function 10010FD0: #825.MFC42(?), ref: 10011044
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 1001105A
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011067
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011074
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011081
                                                    • Part of subcall function 10010FD0: #801.MFC42 ref: 1001108E
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 1001109B
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 100110A8
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 100110B8
                                                  • lstrcpyA.KERNEL32(?,?,00000000), ref: 1000A1DA
                                                  • CreateFileA.KERNEL32(?,00000008,00000001,00000000,00000003,00000000,00000000), ref: 1000A1ED
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 1000A1FD
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000A20B
                                                  • PathFindFileNameA.SHLWAPI(?), ref: 1000A216
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1000A225
                                                  • GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 1000A233
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 1000A243
                                                  • wsprintfA.USER32 ref: 1000A276
                                                  • #823.MFC42(0000022E), ref: 1000A281
                                                  • Sleep.KERNEL32(0000000A), ref: 1000A2B1
                                                  • #800.MFC42 ref: 1000A2C5
                                                  • #800.MFC42 ref: 1000A2D9
                                                    • Part of subcall function 10011EC0: #858.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011EF8
                                                    • Part of subcall function 10011EC0: #800.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011F09
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$File$#540Timelstrcpy$#801#823#825#858#860AttributesCloseCreateFindHandleNamePathSizeSleepSystemwsprintf
                                                  • String ID: %d-%d-%d
                                                  • API String ID: 4162832437-1067691376
                                                  • Opcode ID: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                  • Instruction ID: e65afb7b552d62d436e06514f25d1dc28ad07c56c8aeeae503be500a7d4ecf2d
                                                  • Opcode Fuzzy Hash: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                  • Instruction Fuzzy Hash: 67419079148382ABE324DB64CC49FAFB7A8FF85700F044A2CF599972D1CB74A544CB62
                                                  Function 10021EB0 Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 96libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,ReadFile), ref: 10021ECA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021ED3
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,LocalAlloc), ref: 10021EE3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021EE6
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,LocalFree), ref: 10021EF6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021EF9
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,Sleep), ref: 10021F09
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021F0C
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,PeekNamedPipe), ref: 10021F1C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021F1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$LocalAlloc$LocalFree$PeekNamedPipe$ReadFile$Sleep$kernel32.dll
                                                  • API String ID: 2574300362-1218197485
                                                  • Opcode ID: ae99c4de682ce8f5426df40ffa18d405177226560cee9ac61f9760ad7688557d
                                                  • Instruction ID: 488b720c999c8ca333d018047e43cc708c8e97cf319704916a3fb7cbdab07fd3
                                                  • Opcode Fuzzy Hash: ae99c4de682ce8f5426df40ffa18d405177226560cee9ac61f9760ad7688557d
                                                  • Instruction Fuzzy Hash: 35312DB1614349ABD714EFB1CD48F9B7AE8EFC8744F40092DB684A7140DB74E904CBA6
                                                  Function 1001A220 Relevance: 28.0, APIs: 2, Strings: 14, Instructions: 49libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32 ref: 1001A292
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1001A299
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: G$I$N$S$a$f$i$kernel32.dll$m$n$o$s$v$y
                                                  • API String ID: 1646373207-3978980583
                                                  • Opcode ID: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                  • Instruction ID: bfef907bca7166945bb8c4c048d14843ea41578d74aef9e94cfa9c66aad3b8c8
                                                  • Opcode Fuzzy Hash: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                  • Instruction Fuzzy Hash: 18111C1050C3C28EE302DB6C844838FBFD55BA2644F48888DF4D84A293D2BAC69CC7B7
                                                  Function 10018A50 Relevance: 27.2, APIs: 18, Instructions: 211COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                    • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                    • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                    • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                  • GetDesktopWindow.USER32 ref: 10018B62
                                                  • GetDC.USER32(00000000), ref: 10018B6F
                                                  • GetTickCount.KERNEL32 ref: 10018B83
                                                  • GetSystemMetrics.USER32(00000000), ref: 10018BAD
                                                  • GetSystemMetrics.USER32(00000001), ref: 10018BB4
                                                  • CreateCompatibleDC.GDI32(?), ref: 10018BD2
                                                  • CreateCompatibleDC.GDI32(?), ref: 10018BDB
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 10018BE4
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 10018BEA
                                                  • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10018C49
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 10018C5A
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 10018C6E
                                                  • SelectObject.GDI32(?,?), ref: 10018C84
                                                  • SelectObject.GDI32(?,?), ref: 10018C8E
                                                  • SelectObject.GDI32(?,?), ref: 10018C9E
                                                  • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 10018CAE
                                                  • #823.MFC42(00000002), ref: 10018CBD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$#823CountCursorLoadRectReleaseTick
                                                  • String ID:
                                                  • API String ID: 704209761-0
                                                  • Opcode ID: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                  • Instruction ID: b86d6b879deca8f43264229754a3adc1f6ec2cd8ec19f7890218ae82cecf81d1
                                                  • Opcode Fuzzy Hash: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                  • Instruction Fuzzy Hash: 2E81F3B4504B459FD320DF69C884A67FBE9FB88704F004A1DE59A87750DBB9F805CBA1
                                                  Function 1000BBB0 Relevance: 27.1, APIs: 18, Instructions: 110processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                  • Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                  • #4202.MFC42(00000000), ref: 1000BC03
                                                  • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                  • #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                  • #4202.MFC42 ref: 1000BC35
                                                  • #5572.MFC42(000000FF), ref: 1000BC78
                                                  • #800.MFC42(000000FF), ref: 1000BC88
                                                  • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                  • #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                  • #800.MFC42 ref: 1000BCC0
                                                  • OpenProcess.KERNEL32(00000001,00000000,00000128), ref: 1000BCE7
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000BCF1
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000BCF8
                                                  • #5572.MFC42(000000FF), ref: 1000BD04
                                                  • #5572.MFC42(000000FF,000000FF), ref: 1000BD12
                                                  • #800.MFC42(000000FF,000000FF), ref: 1000BD22
                                                  • #800.MFC42(000000FF,000000FF), ref: 1000BD39
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #5572#800$Process32$#4202NextProcess$#537CloseCreateFirstHandleOpenSnapshotTerminateToolhelp32
                                                  • String ID:
                                                  • API String ID: 1944864456-0
                                                  • Opcode ID: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                  • Instruction ID: ee7fe5d149508e1b0384bfe3d7b9a40c8a8a5284b934431346b927ad99a76550
                                                  • Opcode Fuzzy Hash: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                  • Instruction Fuzzy Hash: 18417F350083859FE360DF64C891EEFB7D9EF953A0F944B2DF4A9421E1EB34A908C652
                                                  Function 1001D890 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 155stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                  • strrchr.MSVCRT ref: 1001D8C3
                                                  • strrchr.MSVCRT ref: 1001D904
                                                  • isdigit.MSVCRT ref: 1001D93C
                                                  • memmove.MSVCRT(?,?), ref: 1001D95D
                                                  • atoi.MSVCRT(?), ref: 1001D995
                                                  • sprintf.MSVCRT ref: 1001D9B9
                                                    • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                  • sprintf.MSVCRT ref: 1001D9E3
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 1001DA13
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001DA23
                                                  • printf.MSVCRT ref: 1001DA36
                                                  • printf.MSVCRT ref: 1001DA50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$printfsprintfstrrchr$AttributesCloseCreateHandleModuleNameatoiisdigitmemmove
                                                  • String ID: At least one INI file in range 1 to 30 already exists.$C:\ProgramData\%d.ini$INI file path: %s
                                                  • API String ID: 584443958-3437802155
                                                  • Opcode ID: e9e403ce930c450e09abc2f1f7fa1b832c2c33435fe635e6026baf3bd7b7edb1
                                                  • Instruction ID: 5290e351072292b353afb0c8017d1a21791a8b433ad051274eb893ffe2ffd492
                                                  • Opcode Fuzzy Hash: e9e403ce930c450e09abc2f1f7fa1b832c2c33435fe635e6026baf3bd7b7edb1
                                                  • Instruction Fuzzy Hash: 884147761143141BE324E7789C85BEB37D8FB84324F040E29FA59D71D1EBB5E68883A2
                                                  Function 10029540 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 105filememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 10029574
                                                  • GetCurrentProcess.KERNEL32(?), ref: 1002957F
                                                  • IsWow64Process.KERNEL32(00000000), ref: 10029586
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100295D1
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000000,00000000), ref: 100295EB
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 100295FB
                                                  • LocalAlloc.KERNEL32(00000040,00000002), ref: 10029609
                                                  • ReadFile.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 1002961E
                                                  • LocalFree.KERNEL32(00000000), ref: 10029629
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029630
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029641
                                                  • LocalSize.KERNEL32(00000000), ref: 1002964B
                                                  • LocalFree.KERNEL32(00000000), ref: 1002965D
                                                  Strings
                                                  • \sysnative\drivers\etc\hosts, xrefs: 10029596
                                                  • \system32\drivers\etc\hosts, xrefs: 1002959D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileLocal$CloseFreeHandleProcessSize$AllocAttributesCreateCurrentDirectoryReadWindowsWow64
                                                  • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                  • API String ID: 2528494210-1011561390
                                                  • Opcode ID: ee78a83b5dee0ee0c6ee8125364e5f6a07835e59d5a86f98be0a8f6a67a9b851
                                                  • Instruction ID: 05e441abcf65d15e2ecfe1ee3d01a150dec260900d61195cf70a3a773d86bf8c
                                                  • Opcode Fuzzy Hash: ee78a83b5dee0ee0c6ee8125364e5f6a07835e59d5a86f98be0a8f6a67a9b851
                                                  • Instruction Fuzzy Hash: B131E5352002106FE3159F78DC89FEB77A8FB88320F144B2DF75A921D0DBB499098765
                                                  Function 10020A40 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160processpipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreatePipe.KERNEL32 ref: 10020A72
                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?), ref: 10020AED
                                                  • CloseHandle.KERNEL32(?), ref: 10020AFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseHandlePipeProcess
                                                  • String ID: D$schtasks /Query /TN MM
                                                  • API String ID: 1262542551-2635328053
                                                  • Opcode ID: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                  • Instruction ID: 0981537ea3ed7163310ddf7b13f575be98c0f6f7661eef0bbbfb29fdb67919c4
                                                  • Opcode Fuzzy Hash: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                  • Instruction Fuzzy Hash: A851DF75604351AFD721CF28C884AEFBBE6FB88744F944A1EF98987240D77599048B92
                                                  Function 1003DCA0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: getenv
                                                  • String ID: JSIMD_FORCE3DNOW$JSIMD_FORCEAVX2$JSIMD_FORCEMMX$JSIMD_FORCENONE$JSIMD_FORCESSE$JSIMD_FORCESSE2$JSIMD_NOHUFFENC
                                                  • API String ID: 498649692-40509672
                                                  • Opcode ID: 5a1275630d78b6e0bc478e23c432fe23d72843e9093515a4164cb50d5e2ec9dc
                                                  • Instruction ID: 18d7cb8a5a1671d28b24fa3e57593d38ad278de5b5033f6ee61c0587f9a67825
                                                  • Opcode Fuzzy Hash: 5a1275630d78b6e0bc478e23c432fe23d72843e9093515a4164cb50d5e2ec9dc
                                                  • Instruction Fuzzy Hash: 3E210AEBA102052FF755E2306D55B6531C1F7A13E2FDA8132E904DF2C2FA18DC469392
                                                  Function 10005A50 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 93libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 10005AA7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32 ref: 10005386
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                  • wsprintfA.USER32 ref: 10005B17
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32 ref: 1000590A
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                    • Part of subcall function 10005B80: LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                    • Part of subcall function 10005B80: GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$wsprintf
                                                  • String ID: .$2$3$D$I$L$_RasDefaultCredentials#0$LsaFreeMemory$P$RasDialParams!%s#0$V$d
                                                  • API String ID: 2290142023-608447665
                                                  • Opcode ID: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                  • Instruction ID: 4c1d29f0bd828654cd513fdf21a7457cee7c04ca4083380b940b1afa8f540c18
                                                  • Opcode Fuzzy Hash: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                  • Instruction Fuzzy Hash: 123105751083809FE301CF68C894A6BBBE9AF99B04F44495CF5C987342D775E90CCBA6
                                                  Function 10001000 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 91libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000105A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001061
                                                  • #823.MFC42(000003E8), ref: 1000109D
                                                  • #823.MFC42(00000020,000003E8), ref: 100010A7
                                                  • #823.MFC42(000003E8,00000020,000003E8), ref: 100010B2
                                                  • #823.MFC42(00000020,000003E8,00000020,000003E8), ref: 100010BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$AddressLibraryLoadProc
                                                  • String ID: A$C$E$KERNEL32.dll$a$n$r$v
                                                  • API String ID: 4155842574-2549505875
                                                  • Opcode ID: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                  • Instruction ID: d4cdf86d6ce510d6661d11d19ce4d48ee2c343f99e241af99f0dca74e59b5833
                                                  • Opcode Fuzzy Hash: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                  • Instruction Fuzzy Hash: 9E317CB04087819ED310CF69D844647FBE8FF59308F44495EE1C987712D7B9E648CBAA
                                                  Function 10027180 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 65sleepstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10027190
                                                  • lstrcatA.KERNEL32(?,\termsrv.dll), ref: 100271A0
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                    • Part of subcall function 100270F0: CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                    • Part of subcall function 100270F0: Process32First.KERNEL32(00000000,?), ref: 10027112
                                                    • Part of subcall function 100270F0: Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                    • Part of subcall function 100270F0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(?,?,00000000,?,00000010,00000000,00000000), ref: 1001B710
                                                  • GetProcessId.KERNEL32(csrss.exe,?,?,?,00000065,?,?,\termsrv.dll), ref: 100271E9
                                                  • AbortSystemShutdownA.ADVAPI32(00000000), ref: 100271F9
                                                  • GetProcessId.KERNEL32(drwtsn32.exe,?,75920F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 10027212
                                                  • EnumWindows.USER32(10026EF0,00000000), ref: 10027222
                                                  • EnumWindows.USER32(10026EF0,00000000), ref: 1002722A
                                                  • Sleep.KERNEL32(0000000A,?,75920F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 1002722E
                                                  • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10027232
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleSystem$AbortEnumProcess32ShutdownTokenWindows$AdjustCreateCurrentDirectoryErrorFirstLastLookupNextOpenPrivilegePrivilegesSleepSnapshotToolhelp32Valuelstrcat
                                                  • String ID: SeDebugPrivilege$SeShutdownPrivilege$\termsrv.dll$csrss.exe$drwtsn32.exe
                                                  • API String ID: 1044539573-3630850118
                                                  • Opcode ID: d5a0710410a0e9500b4991e7e6425a2297be46b0c83ce66be67affcab5a6566f
                                                  • Instruction ID: 545092d0061a551161942da714494b3baf1c79c136666c6f0cc5346e62eb4614
                                                  • Opcode Fuzzy Hash: d5a0710410a0e9500b4991e7e6425a2297be46b0c83ce66be67affcab5a6566f
                                                  • Instruction Fuzzy Hash: AE11E979600319B7F610E7B5AC85FDA3658FB54744F840414F708990D2EB75E8448676
                                                  Function 100064C0 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(0000001C,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006540
                                                  • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006583
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006597
                                                  • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065DD
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065F1
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006637
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 1000664B
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006691
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066A5
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066EB
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066FF
                                                  • #825.MFC42(?,?,?), ref: 10006758
                                                  • #823.MFC42(?,?,?), ref: 1000676C
                                                  • #825.MFC42(00000000,?,?), ref: 100067B1
                                                  • #823.MFC42(?,?,?), ref: 100067C5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$#825
                                                  • String ID:
                                                  • API String ID: 2704444950-0
                                                  • Opcode ID: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                  • Instruction ID: 60a5b56d8eae0c97300d1150149c5d3cd1187e5e90251027326246755cc62438
                                                  • Opcode Fuzzy Hash: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                  • Instruction Fuzzy Hash: 0BC1D0B57046054BEB18CE38D89292B77D2EF982A0B65863CFD1A877C5DF71ED058780
                                                  Function 10012630 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 114libraryloadersleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012641
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012651
                                                  • wsprintfA.USER32 ref: 10012683
                                                  • CloseHandle.KERNEL32(00000000), ref: 100126D7
                                                  • Sleep.KERNEL32(00000002), ref: 100126F1
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012730
                                                  • GetProcAddress.KERNEL32(00000000,send), ref: 1001273C
                                                  • FreeLibrary.KERNEL32(?), ref: 10012794
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressLoadProc$CloseFreeHandleSleepwsprintf
                                                  • String ID: ID= %d $closesocket$send$ws2_32.dll
                                                  • API String ID: 1680113600-2339802411
                                                  • Opcode ID: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                  • Instruction ID: c6c0da67d46d13d68f268ba758adfad6d1a8e6a04e0d0a6cfae2b139a2cc5429
                                                  • Opcode Fuzzy Hash: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                  • Instruction Fuzzy Hash: 5941B3B9608355AFD714DF78CC88B9BB7E4FB88344F040A18F985DB281D774E9608B61
                                                  Function 10006400 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 74libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,00000000,?,0000005C,?,1000620E,00000000), ref: 10006416
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000641F
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,0000005C,?,1000620E,00000000), ref: 1000642F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10006432
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,0000005C,?,1000620E,00000000), ref: 10006442
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10006445
                                                  • #823.MFC42(00000002,?,0000005C,?,1000620E,00000000), ref: 10006461
                                                  • #823.MFC42(00000002,00000002,?,0000005C,?,1000620E,00000000), ref: 10006469
                                                  • #825.MFC42(00000000,?,0000005C,?,1000620E,00000000), ref: 10006495
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#823$#825
                                                  • String ID: KERNEL32.dll$MultiByteToWideChar$WideCharToMultiByte$lstrlenA
                                                  • API String ID: 1309867234-4059950253
                                                  • Opcode ID: 7af2d8f90b723ac55f2e61bf25ce58a6540ace20f9de91bf3ac2f31209b68641
                                                  • Instruction ID: 24126899a78552c85fb018411479147e3e3da7a595a1e87d81a390b39e73e2c3
                                                  • Opcode Fuzzy Hash: 7af2d8f90b723ac55f2e61bf25ce58a6540ace20f9de91bf3ac2f31209b68641
                                                  • Instruction Fuzzy Hash: 651106B694131837DA10A7B56C49F9B3E9CDF967B1F15052AFB00B7181D964A804C6F2
                                                  Function 1002BCB0 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 74libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,00000010), ref: 1002BD4B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BD52
                                                    • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                    • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: .$2$3$K$L$N$R$S$d$n$v
                                                  • API String ID: 2574300362-924470386
                                                  • Opcode ID: 66c01a92ff87701a3e74a371ce5ffd8452510b3b243cd9580b425eb6a63e840b
                                                  • Instruction ID: 39105760561fa5605379ae29a799da026ab5923eed6d66789845782971b3bb5b
                                                  • Opcode Fuzzy Hash: 66c01a92ff87701a3e74a371ce5ffd8452510b3b243cd9580b425eb6a63e840b
                                                  • Instruction Fuzzy Hash: 65318075D092CCDEDB01CBE8D884ADEFFB8AF2A240F084159E54577382C2794608CBB6
                                                  Function 1002BEF0 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 64libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,75920BD0,00000000,?,7591F550), ref: 1002BF0A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BF13
                                                  • LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,7591F550), ref: 1002BF21
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BF24
                                                  • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 1002BF48
                                                  • SetThreadDesktop.USER32(?,?,7591F550), ref: 1002BF5E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$DesktopInformationObjectThreadUser
                                                  • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$KERNEL32.dll$USER32.dll
                                                  • API String ID: 2607951617-608436089
                                                  • Opcode ID: c2ebef84e9b262551e250a419790dc66ae1a1fb89a902689a10c6f40911fabc1
                                                  • Instruction ID: b07af5cf8ecbc5bc02c84ebfb39a8ce14e9aad1f179a38e33ce0dde8c6edab6d
                                                  • Opcode Fuzzy Hash: c2ebef84e9b262551e250a419790dc66ae1a1fb89a902689a10c6f40911fabc1
                                                  • Instruction Fuzzy Hash: 6701B5B670025C27E610B7B9AC88EDB774CEB80761F854532FB04D2141EA6DA84996B4
                                                  Function 10017D20 Relevance: 21.2, APIs: 14, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                    • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                    • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                  • GetDC.USER32(00000000), ref: 10017E52
                                                  • QueryPerformanceFrequency.KERNEL32(00000030), ref: 10017E5F
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017E81
                                                  • GetDeviceCaps.GDI32(?,00000076), ref: 10017E9E
                                                  • GetDeviceCaps.GDI32(?,00000075), ref: 10017EA9
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017EC7
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017ED0
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017ED9
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 10017F26
                                                  • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10017F37
                                                  • SelectObject.GDI32(?,?), ref: 10017F4A
                                                  • SelectObject.GDI32(?,?), ref: 10017F54
                                                  • #823.MFC42(?,?,?,?,00000000), ref: 10017F5F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$Compatible$CapsDeviceObjectSectionSelect$#823CursorFrequencyLoadPerformanceQueryReleaseUnothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1396098503-0
                                                  • Opcode ID: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                  • Instruction ID: f5b09e1389df2f3a8d9c5176518bf7bbc65b6c3c0f8f13021ea446bacafcd8a0
                                                  • Opcode Fuzzy Hash: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                  • Instruction Fuzzy Hash: 2981F2B5504B459FD320CF29C884A6BFBF9FB88704F008A1DE58A87750DB79F8058B91
                                                  Function 100179C0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                    • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                    • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                    • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                    • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                  • SetCursorPos.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A28
                                                  • WindowFromPoint.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A30
                                                  • SetCapture.USER32(00000000,?,?,?,?,1001751F,?,?,00000000), ref: 10017A37
                                                  • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A4D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10017A50
                                                  • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A5E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10017A61
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10017A9A
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10017AB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                  • String ID: USER32.dll$keybd_event$mouse_event
                                                  • API String ID: 1441364844-718119381
                                                  • Opcode ID: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                  • Instruction ID: 2451a04a9bde1e7bfa8f86e37c24795d67c21f324d001409fd558fbe77f3f18c
                                                  • Opcode Fuzzy Hash: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                  • Instruction Fuzzy Hash: AD515B31BC471576F234CA648C87F4A7AA4FB85F90F708611B708BE1C4D6F0F980869A
                                                  Function 10016D20 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                    • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                    • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                    • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                    • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                  • SetCursorPos.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D88
                                                  • WindowFromPoint.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D90
                                                  • SetCapture.USER32(00000000,?,?,?,?,1001697A,?,?), ref: 10016D97
                                                  • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001697A,?,?), ref: 10016DAD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10016DB0
                                                  • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001697A,?,?), ref: 10016DBE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10016DC1
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10016DFA
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10016E14
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                  • String ID: USER32.dll$keybd_event$mouse_event
                                                  • API String ID: 1441364844-718119381
                                                  • Opcode ID: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                  • Instruction ID: 9bdd7654e0fc0f02893d67ce9a41b80379b50915a00eb774664f2f349eb60d67
                                                  • Opcode Fuzzy Hash: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                  • Instruction Fuzzy Hash: C3515E3ABC0729B7F630DA64CD47F5A6A94EB49F90F314615B704BE1C1D5F0F8808A99
                                                  Function 10002CD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 144librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                    • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D12
                                                  • LoadLibraryA.KERNEL32(CHROMEUSERINFO.dll,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D22
                                                  • GetProcAddress.KERNEL32(00000000,fnGetChromeUserInfo), ref: 10002D3E
                                                  • GetProcAddress.KERNEL32(00000000,fnDeleteChromeUserInfo), ref: 10002D4C
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E53
                                                  • LocalSize.KERNEL32(00000000), ref: 10002E5C
                                                  • LocalFree.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E6C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$AddressProc$AllocLibraryLoad$FreeSize
                                                  • String ID: CHROMEUSERINFO.dll$CHROME_NO_DATA$CHROME_UNKNOW$fnDeleteChromeUserInfo$fnGetChromeUserInfo
                                                  • API String ID: 1379963177-1650604611
                                                  • Opcode ID: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                  • Instruction ID: 13833c0b53df42460e1e6170d0b02e4772bea98369ed9403c64bee1aaa194fbe
                                                  • Opcode Fuzzy Hash: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                  • Instruction Fuzzy Hash: DF4123716002585FD728CF288C45AAF7BD5FB8A7A0F580729F90AE7780CB79DE018791
                                                  Function 1000F020 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(360se6.exe), ref: 1000F047
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F05F
                                                  • #540.MFC42 ref: 1000F069
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F09B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F0ED
                                                  • #800.MFC42 ref: 1000F101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
                                                  • API String ID: 1983172782-1244823433
                                                  • Opcode ID: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                  • Instruction ID: e9c89288d271108546bef61020c2a1418b1faed9b041f6e65e1a09c7bde258f6
                                                  • Opcode Fuzzy Hash: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                  • Instruction Fuzzy Hash: F6216579408788ABE364DB54D942FDFB7D4EB84710F40891CF29D821D6EB74A504CBA3
                                                  Function 1000F120 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(QQBrowser.exe), ref: 1000F147
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F15F
                                                  • #540.MFC42 ref: 1000F169
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F19B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F1ED
                                                  • #800.MFC42 ref: 1000F201
                                                  Strings
                                                  • QQBrowser.exe, xrefs: 1000F142
                                                  • \AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 1000F1A0
                                                  • C:\Users\, xrefs: 1000F195
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
                                                  • API String ID: 1983172782-2662846904
                                                  • Opcode ID: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                  • Instruction ID: b508ae645e237c7229c1d69a2e2dd707763a9c57ac4a9714039cccd54a056aaa
                                                  • Opcode Fuzzy Hash: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                  • Instruction Fuzzy Hash: C9216579408788ABE254DB54D942FDEB7D4EF84710F40891CF19D821D6EB74A504CBA3
                                                  Function 1000F220 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(SogouExplorer.exe), ref: 1000F247
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F25F
                                                  • #540.MFC42 ref: 1000F269
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F29B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F2ED
                                                  • #800.MFC42 ref: 1000F301
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
                                                  • API String ID: 1983172782-2055279553
                                                  • Opcode ID: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                  • Instruction ID: 7d35013b61d80cf1e9c1dfe39d441eecd520366740e00716b73819efa327f1aa
                                                  • Opcode Fuzzy Hash: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                  • Instruction Fuzzy Hash: F6218779408788ABE354DB54DD42FDBB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                  Function 1000EDE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000EE07
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EE1F
                                                  • #540.MFC42 ref: 1000EE29
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EE5B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE73
                                                  • #800.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE84
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE8E
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000EEAD
                                                  • #800.MFC42 ref: 1000EEC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
                                                  • API String ID: 1983172782-2559963756
                                                  • Opcode ID: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                  • Instruction ID: 8c6a82a66adb9de8b1ca2427e2dad7b5aad7125b1f470a43c445caaf05036487
                                                  • Opcode Fuzzy Hash: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                  • Instruction Fuzzy Hash: 1D216579408784ABE254DB54DD46FDEB7D5EB84700F40891CF19D821D6EB74A504CBA3
                                                  Function 1000EEE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(Skype.exe), ref: 1000EF07
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EF1F
                                                  • #540.MFC42 ref: 1000EF29
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EF5B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF73
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF84
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF8E
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000EFAD
                                                  • #800.MFC42 ref: 1000EFC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
                                                  • API String ID: 1983172782-3499480952
                                                  • Opcode ID: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                  • Instruction ID: c2392c766fec2091ac0e11c8610587f68406746635502bb5fb4463dc87aa9c62
                                                  • Opcode Fuzzy Hash: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                  • Instruction Fuzzy Hash: 0B216579408788ABE254DB54D942FDEB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                  Function 10018D40 Relevance: 19.6, APIs: 13, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$#825$Object$CursorDestroyRelease
                                                  • String ID:
                                                  • API String ID: 719826280-0
                                                  • Opcode ID: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                  • Instruction ID: 1057cd0b5374723fdd9eac028f866a029913c2518dbccd866ad41eb7240ccfe0
                                                  • Opcode Fuzzy Hash: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                  • Instruction Fuzzy Hash: 83114FBA600B149BD620EBB9DC80D57F3EDFF98210B154D1DFA8A87750DAB5F8448B60
                                                  Function 100074F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166filememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • malloc.MSVCRT ref: 10007519
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 10007541
                                                  • free.MSVCRT ref: 1000759F
                                                  • GetFileAttributesA.KERNEL32(?), ref: 100075AD
                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100075D4
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 100075E3
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 100075F9
                                                  • ReadFile.KERNEL32(?,00000000,?,0000035D,00000000), ref: 1000761D
                                                  • CloseHandle.KERNEL32(?), ref: 1000762A
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 1000766A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Virtual$AllocAttributesCloseCreateFolderFreeHandlePathReadSizeSpecialfreemalloc
                                                  • String ID: Main
                                                  • API String ID: 2820283417-521822810
                                                  • Opcode ID: d96795f43f274779fe40dde3b56b3a16bfa6122aa87b00316b9a1b81143df7fd
                                                  • Instruction ID: 6f0d9e7d78dd571c703ddbf1913cd77a9e21db67d46627b5b307b1784e6b32fb
                                                  • Opcode Fuzzy Hash: d96795f43f274779fe40dde3b56b3a16bfa6122aa87b00316b9a1b81143df7fd
                                                  • Instruction Fuzzy Hash: C051E8756002005BE718DB388C99FA73699FB84720F284739FE1ADB2D5DE79A904C764
                                                  Function 1001A8F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94stringfilenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,759223A0), ref: 1001A98A
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9C4
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9D4
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9E4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,759223A0), ref: 1001A9EB
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,759223A0), ref: 1001A9F8
                                                  • gethostname.WS2_32(?,?), ref: 1001AA00
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,759223A0), ref: 1001AA07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrlen$#823$AddressCloseCreateHandleLibraryLoadProcReadSizegethostname
                                                  • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                  • API String ID: 1105965372-3579490797
                                                  • Opcode ID: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                  • Instruction ID: 1aca79b18ebe77987ab2057df5d6393e57785d9c54ea4be51680de8087f9014e
                                                  • Opcode Fuzzy Hash: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                  • Instruction Fuzzy Hash: B331D675604754AFE320CB28CC90FEB7799FB89340F040929FA49A7290DA316945CF62
                                                  Function 10026D20 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69stringmemorylibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 10026D35
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026D4B
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026D5E
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 10026D6B
                                                  • GetFileAttributesA.KERNEL32(?), ref: 10026D7B
                                                  • LoadLibraryA.KERNEL32(?), ref: 10026D8E
                                                  • lstrlenA.KERNEL32(?,?,?,75920F00), ref: 10026DA9
                                                  • lstrlenA.KERNEL32(?,?,75920F00), ref: 10026DC9
                                                  • LocalReAlloc.KERNEL32(00000000,00000003,00000042,?,75920F00), ref: 10026DD3
                                                  • LocalFree.KERNEL32(00000000,?,75920F00), ref: 10026DE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$Alloclstrlen$AttributesDirectoryFileFreeLibraryLoadSystemlstrcatwsprintf
                                                  • String ID: \termsrv_t.dll
                                                  • API String ID: 2807520882-1337493607
                                                  • Opcode ID: 3e63cd410a7fc4ddff13f741e1262c6410d4f42814cfeeeaadeb341975cacc12
                                                  • Instruction ID: a2e46dfa2fd43b06bd93f3c469c625f775f47f80488668f48bd48991d4721694
                                                  • Opcode Fuzzy Hash: 3e63cd410a7fc4ddff13f741e1262c6410d4f42814cfeeeaadeb341975cacc12
                                                  • Instruction Fuzzy Hash: 8C21D176100306AFD724DF60DC88EEB77A8FB85310F444A18FA4A97191EB70E509CB62
                                                  Function 100232E0 Relevance: 18.2, APIs: 12, Instructions: 200networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: inet_ntoa$htons$inet_addr
                                                  • String ID:
                                                  • API String ID: 2325850693-0
                                                  • Opcode ID: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                  • Instruction ID: 0f8a403a37a04198fb3543f642c4371480fab305af7d543d8c9d6285c61f0e9b
                                                  • Opcode Fuzzy Hash: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                  • Instruction Fuzzy Hash: 6051493A7046544BCB18DF38B8901AFB7D1FF89260B9985AEFD8AD7341CA21ED01C764
                                                  Function 1000BA50 Relevance: 18.1, APIs: 12, Instructions: 75processstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BA5E
                                                  • Process32First.KERNEL32(00000000,?), ref: 1000BA73
                                                  • GetLastError.KERNEL32(00000000,?), ref: 1000BA80
                                                  • _wcsupr.MSVCRT ref: 1000BA9D
                                                  • _wcsupr.MSVCRT ref: 1000BAA6
                                                  • wcsstr.MSVCRT ref: 1000BAAA
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000BACD
                                                  • _strlwr.MSVCRT ref: 1000BAE7
                                                  • _strlwr.MSVCRT ref: 1000BAEA
                                                  • strstr.MSVCRT ref: 1000BAF2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000BB01
                                                  • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1000BB0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$Next_strlwr_wcsupr$CloseCreateErrorFirstHandleLastSnapshotToolhelp32strstrwcsstr
                                                  • String ID:
                                                  • API String ID: 146143966-0
                                                  • Opcode ID: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                  • Instruction ID: 58f6ba2257750e6ab45c168541484ccfaec70cf465e469f9539c8ec9d4fa11c7
                                                  • Opcode Fuzzy Hash: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                  • Instruction Fuzzy Hash: 6D11B6762003156BF350EBB59C85EEB7B9CEFC1390F850929FD05C2145EB39E90886B1
                                                  Function 10025C20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102registrysleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NetUserDel.NETAPI32(00000000,00000000), ref: 10025C48
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 10025C50
                                                  • wsprintfA.USER32 ref: 10025C98
                                                  • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10025CB8
                                                  • Sleep.KERNEL32(00000032), ref: 10025CC4
                                                  • RegQueryValueExA.ADVAPI32 ref: 10025CF1
                                                  • RegCloseKey.ADVAPI32(1012B064), ref: 10025CFC
                                                  • wsprintfA.USER32 ref: 10025D11
                                                    • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                    • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Localwsprintf$#825CloseFreeOpenQuerySizeSleepUserValue
                                                  • String ID: %08X$SAM\SAM\Domains\Account\Users\Names\%s
                                                  • API String ID: 2119749478-1111274145
                                                  • Opcode ID: bd725d2a93c7658a03313c052c1a9d5d93dc0526972a7255ae4a6a4a563ec4d0
                                                  • Instruction ID: e0920d16e5506446cfe1c478c4ae781575f03c35c6dbdffeea54ad2fc11cc29e
                                                  • Opcode Fuzzy Hash: bd725d2a93c7658a03313c052c1a9d5d93dc0526972a7255ae4a6a4a563ec4d0
                                                  • Instruction Fuzzy Hash: D73128752043056FE210DB24EC85FAB77DCEBC5251F80092CFA4692282FA36E90C8767
                                                  Function 1000B620 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000B634
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000B6A9
                                                  • GetFileSize.KERNEL32 ref: 1000B6BC
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000B6D0
                                                  • lstrlenA.KERNEL32(?), ref: 1000B6DE
                                                  • #823.MFC42(00000000), ref: 1000B6E7
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 1000B70D
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 1000B716
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000B71D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$lstrlen$#823CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                  • String ID: .key
                                                  • API String ID: 2856261289-343438762
                                                  • Opcode ID: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                  • Instruction ID: bd8e3325d0db8e7463eafbc11f0d66b84d6b493b70728e4679981c1757bf8fad
                                                  • Opcode Fuzzy Hash: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                  • Instruction Fuzzy Hash: A0215C752006042BF724DA789C8AFAB3A89FB84760F580739FE57D71D1DEA49D088760
                                                  Function 100014B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: WINMM.dll$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                                                  • API String ID: 2574300362-4065288365
                                                  • Opcode ID: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                  • Instruction ID: 97c40741ceac41b55f427a3e19617a04594bb35f0b993fe0b131869bec9d13a6
                                                  • Opcode Fuzzy Hash: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                  • Instruction Fuzzy Hash: C5212676600204ABDB10DF68EC84AA67BE8FFC8310F154469EB049B301D736E945DBE0
                                                  Function 1000E5B0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60registryfilestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000E5EA
                                                  • lstrlenA.KERNEL32 ref: 1000E609
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 1000E612
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000E619
                                                  • RegCreateKeyA.ADVAPI32(80000001,TGByte\Setup,?), ref: 1000E62E
                                                  • RegSetValueExA.ADVAPI32(00000000,Host,00000000,00000001,?), ref: 1000E650
                                                  • RegCloseKey.ADVAPI32(?), ref: 1000E65B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFile$HandleValueWritelstrlen
                                                  • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                  • API String ID: 1763583472-3579490797
                                                  • Opcode ID: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                  • Instruction ID: 77af767004de95c6ec99707751be97fa26c4c007db1504f7e5df3f5080d650d4
                                                  • Opcode Fuzzy Hash: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                  • Instruction Fuzzy Hash: 9E11A375100310BBE320DB68CC49FEB7BADFB89751F044A18F659A21D0DBB4A8058BA2
                                                  Function 10023D00 Relevance: 16.7, APIs: 11, Instructions: 175sleepnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WS2_32(?,?,00000000,00000000,00000000), ref: 10023D9A
                                                  • _errno.MSVCRT ref: 10023DA4
                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 10023DBC
                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 10023DD2
                                                  • recvfrom.WS2_32(00000010,?,00001FF6,00000000,?,00000010), ref: 10023E0C
                                                  • inet_addr.WS2_32(00000000), ref: 10023E8D
                                                  • htons.WS2_32(?), ref: 10023E9C
                                                  • Sleep.KERNEL32(00000005), ref: 10023ECC
                                                  • Sleep.KERNEL32(00000005,?,?), ref: 10023F37
                                                  • closesocket.WS2_32 ref: 10023F4C
                                                  • closesocket.WS2_32(?), ref: 10023F52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleepclosesocket$_errnohtonsinet_addrrecvfromselect
                                                  • String ID:
                                                  • API String ID: 1415794423-0
                                                  • Opcode ID: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                  • Instruction ID: 526c464df8ce17cb72c57ff37cbb3dc0b2e5127f8a28d9ed385b909f9f69fec1
                                                  • Opcode Fuzzy Hash: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                  • Instruction Fuzzy Hash: F461A074508381ABD710CF24EC44AABB7F4FFC4714F408A2EF99997250E774D9098B66
                                                  Function 10023B10 Relevance: 16.7, APIs: 11, Instructions: 151stringnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strchr.MSVCRT ref: 10023B29
                                                  • atoi.MSVCRT(?), ref: 10023B56
                                                  • strchr.MSVCRT ref: 10023B98
                                                  • strncpy.MSVCRT ref: 10023BCF
                                                  • strchr.MSVCRT ref: 10023BDB
                                                  • strncpy.MSVCRT ref: 10023C03
                                                  • strncpy.MSVCRT ref: 10023C1F
                                                  • InitializeCriticalSection.KERNEL32(1012C508), ref: 10023C86
                                                    • Part of subcall function 10023A10: WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                    • Part of subcall function 10023A10: socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                    • Part of subcall function 10023A10: htons.WS2_32 ref: 10023A68
                                                    • Part of subcall function 10023A10: bind.WS2_32 ref: 10023A83
                                                    • Part of subcall function 10023A10: listen.WS2_32(00000000,00000032), ref: 10023A94
                                                  • WSACleanup.WS2_32 ref: 10023C91
                                                  • DeleteCriticalSection.KERNEL32(1012C508), ref: 10023C9C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strchrstrncpy$CriticalSection$CleanupDeleteInitializeStartupatoibindhtonslistensocket
                                                  • String ID:
                                                  • API String ID: 2616448033-0
                                                  • Opcode ID: b3e819960a5ceb772749df472572fff6845e508e6a232be90d491a19d2ba0dc7
                                                  • Instruction ID: 389e13c2c4ed3a1267702f136a6e221e616880a063256ef4c28e1067461a3ad5
                                                  • Opcode Fuzzy Hash: b3e819960a5ceb772749df472572fff6845e508e6a232be90d491a19d2ba0dc7
                                                  • Instruction Fuzzy Hash: FA41C0766006081BD32C96789C458BB7BD5FBC4320F554B2EFA2B936D0DEB4EA088295
                                                  Function 100089F0 Relevance: 16.6, APIs: 11, Instructions: 136stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 3289936468-0
                                                  • Opcode ID: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                  • Instruction ID: c614f76b29358a3fda3e897671393add0d389b4ba00e88ce342a7451a82b3d62
                                                  • Opcode Fuzzy Hash: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                  • Instruction Fuzzy Hash: 8241E8B4D046559FF721CF188C447AEBBE4FB0A6E0F14066AE8D5A3645C3344A02CFA6
                                                  Function 10011330 Relevance: 16.6, APIs: 11, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #540.MFC42 ref: 10011358
                                                  • #858.MFC42(00000004), ref: 10011376
                                                  • #922.MFC42(?,00000000,00000000,?,?,?,?), ref: 100113A9
                                                  • #858.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113B8
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113C6
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113D4
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113E1
                                                  • #939.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011409
                                                  • #800.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011416
                                                  • #535.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011426
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011438
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#858$#535#540#922#939
                                                  • String ID:
                                                  • API String ID: 1721966335-0
                                                  • Opcode ID: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                  • Instruction ID: 1068962097da1abb9be03f2cf21bec5754a184422a1b80b0b6d5662a040d76a2
                                                  • Opcode Fuzzy Hash: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                  • Instruction Fuzzy Hash: 7D319A79108381ABC305DB68D551F9FBBE9EF98A14F400A1DF49993282DB34E608C767
                                                  Function 10019680 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87servicesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000008), ref: 100196A1
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000002), ref: 100196D9
                                                  • LockServiceDatabase.ADVAPI32(00000000), ref: 100196E2
                                                  • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019728
                                                  • UnlockServiceDatabase.ADVAPI32(00000000), ref: 10019733
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019740
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019743
                                                  • Sleep.KERNEL32(000000C8), ref: 1001974A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseDatabaseHandleProcess$ChangeConfigCurrentLockManagerSleepTokenUnlock
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2207141857-2896544425
                                                  • Opcode ID: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                  • Instruction ID: dc65207eb95ef46fdda0787c0b6e18c9b4e2414683cc893defa47448b081054d
                                                  • Opcode Fuzzy Hash: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                  • Instruction Fuzzy Hash: D2213D3925411467E320AB789C4AFEB3B98FB94760F140326FA199B2C1DD74EC448675
                                                  Function 1001AA20 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AAA6
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AAE3
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AAF3
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AB03
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AB0A
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,759183C0,759232C0,759223A0), ref: 1001AB11
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                  • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                  • API String ID: 1069036285-946259135
                                                  • Opcode ID: 5a94f7587d8c9009ace8e15a0aa4a76d818b3a8cac7c22567c57c3c87f9c405e
                                                  • Instruction ID: 37052403d1830ee5bbc2a658acef88262f79e6c9eb3fb75476596a4dbd9106d3
                                                  • Opcode Fuzzy Hash: 5a94f7587d8c9009ace8e15a0aa4a76d818b3a8cac7c22567c57c3c87f9c405e
                                                  • Instruction Fuzzy Hash: 15210731204750AFE310CB68CC91BEBB7D9FB89350F444A2CFA49972D0DA755A05CBA1
                                                  Function 10019850 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78servicesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10019871
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000034), ref: 100198A9
                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100198B7
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 100198DA
                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 100198ED
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FA
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FD
                                                  • Sleep.KERNEL32(000000C8), ref: 10019904
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQuerySleepStartStatusToken
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 3878120848-2896544425
                                                  • Opcode ID: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                  • Instruction ID: 50e31cc6d71f3cb09cdeb76e9080be0a7887b9f28361484d1c1b8db58f74100a
                                                  • Opcode Fuzzy Hash: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                  • Instruction Fuzzy Hash: C721EB352502146BE714EB609C8AFBF77D4FB88350F15061AFA0A9A1C0EEB4AD448665
                                                  Function 10029670 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 100296A0
                                                  • GetCurrentProcess.KERNEL32(?), ref: 100296AB
                                                  • IsWow64Process.KERNEL32(00000000), ref: 100296B2
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100296FD
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 10029717
                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 1002973C
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029745
                                                  Strings
                                                  • \sysnative\drivers\etc\hosts, xrefs: 100296C2
                                                  • \system32\drivers\etc\hosts, xrefs: 100296C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Process$AttributesCloseCreateCurrentDirectoryHandleWindowsWow64Write
                                                  • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                  • API String ID: 4291671391-1011561390
                                                  • Opcode ID: a1fa3b0a1f8d3af9d2af9e6ba4edfac3d9ef2b57c82be85cc8055d162f2ea8f3
                                                  • Instruction ID: c9d47a61cbbc8419951abeae2748bf3b8fdbec6f91992c5754469a235e23e27f
                                                  • Opcode Fuzzy Hash: a1fa3b0a1f8d3af9d2af9e6ba4edfac3d9ef2b57c82be85cc8055d162f2ea8f3
                                                  • Instruction Fuzzy Hash: D721C5352043056BE324DB78DC49F9B7B98FB84760F140F2CFA9A972D0DBB0990887A1
                                                  Function 10008080 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                  • #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                  • #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                  • #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                  • #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                  • #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                  • #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                  • #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #3811$#2614#860
                                                  • String ID: *.*
                                                  • API String ID: 4293058641-438819550
                                                  • Opcode ID: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                  • Instruction ID: 666ce54a2a265a37b10a0135446347dcc930d7d9a3e7cb816894ca7fb184fd78
                                                  • Opcode Fuzzy Hash: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                  • Instruction Fuzzy Hash: 5D11B3B5404B059FC7A4CFA5D681946BBE5FE886007848A2EA18AC7A24E770F504DF50
                                                  Function 100059D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,.23,00000000,?,00000000,10005979,?,?), ref: 100059E4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100059ED
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,10005979,?,?), ref: 100059FB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100059FE
                                                  • malloc.MSVCRT ref: 10005A1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$malloc
                                                  • String ID: .23$KERNEL32.dll$MultiByteToWideChar$lstrlenA
                                                  • API String ID: 1625907898-566195008
                                                  • Opcode ID: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                  • Instruction ID: cce5c33cb54e4e20ebcd19e924e9cf720d43bdeab14a6bb2b58a7cbeabffb214
                                                  • Opcode Fuzzy Hash: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                  • Instruction Fuzzy Hash: A5F0C8E25403196BE620ABB48C46E7BB7ECEF85351F05482AF545D3240DA68E8008771
                                                  Function 10018200 Relevance: 15.2, APIs: 10, Instructions: 153sleepwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                    • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                  • GetCursorPos.USER32(?), ref: 10018246
                                                  • GetSystemMetrics.USER32(00000000), ref: 10018255
                                                  • _ftol.MSVCRT ref: 10018273
                                                  • _ftol.MSVCRT ref: 10018288
                                                  • GetCursorInfo.USER32(?,?,00000008), ref: 100182AE
                                                  • DestroyCursor.USER32(?), ref: 100182D9
                                                  • BitBlt.GDI32(?,00000000,00000000,10016B8A,?,?,00000000,00000000,?), ref: 1001831C
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 10018373
                                                  • Sleep.KERNEL32(00000001), ref: 10018393
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 1001839C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cursor$CounterPerformanceQuery_ftol$DestroyInfoMetricsReleaseSleepSystem
                                                  • String ID:
                                                  • API String ID: 2306850792-0
                                                  • Opcode ID: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                  • Instruction ID: ed20b3c1f5c79fd808ca28f3e705cb4aa4f98cfa336912cfc5d34cc1cf5afb6b
                                                  • Opcode Fuzzy Hash: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                  • Instruction Fuzzy Hash: 43517B75204B019FE324DF29C890B5BB7E5FB88700F544A1DF6A69B290E770FA85CB61
                                                  Function 10018000 Relevance: 15.1, APIs: 10, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReleaseDC.USER32(00000000,?), ref: 10018034
                                                  • DeleteDC.GDI32(?), ref: 10018044
                                                  • DeleteDC.GDI32(?), ref: 1001804A
                                                  • DeleteDC.GDI32(?), ref: 10018050
                                                  • DeleteObject.GDI32(?), ref: 1001805C
                                                  • DeleteObject.GDI32(?), ref: 10018062
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018083
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018093
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 100180A3
                                                  • DestroyCursor.USER32(?), ref: 100180C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$#825$Object$CursorDestroyRelease
                                                  • String ID:
                                                  • API String ID: 719826280-0
                                                  • Opcode ID: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                  • Instruction ID: ee9c09a91b7e4212c511851f40033770f7d05fd05274aa2e52ec135f7c4494b2
                                                  • Opcode Fuzzy Hash: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                  • Instruction Fuzzy Hash: 8921BFB6600B049BE620DF65CC80B57B3ECFF88610F050A1DE59A97790CB79F9048BA1
                                                  Function 1002C380 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002BE50: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                    • Part of subcall function 1002BE50: Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                    • Part of subcall function 1002BE50: _strcmpi.MSVCRT ref: 1002BEA7
                                                    • Part of subcall function 1002BE50: Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                    • Part of subcall function 1002BE50: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                  • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1002C3E2
                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1002C3FC
                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1002C422
                                                  • #823.MFC42(?), ref: 1002C42F
                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 1002C451
                                                  • #823.MFC42(00000100), ref: 1002C473
                                                  • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 1002C4A3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Token$#823InformationOpenProcessProcess32$AccountCloseCreateFirstHandleLookupNextSnapshotToolhelp32_strcmpi
                                                  • String ID: explorer.exe
                                                  • API String ID: 1409679202-3187896405
                                                  • Opcode ID: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                  • Instruction ID: 473375eb415be4f23099c9e5e37f9ddbe1d6da3e806a8c1c49872e14675b6481
                                                  • Opcode Fuzzy Hash: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                  • Instruction Fuzzy Hash: D2412CB6D00228AFDB51EF99EC85FEEBBB8FB48710F10415AF509A3240D6715A40CFA0
                                                  Function 10028620 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintfwsprintf$FileModuleName
                                                  • String ID: %s:%d
                                                  • API String ID: 2407558147-1029262843
                                                  • Opcode ID: 0942b979129ab3af1949410a09b605f7c661f2e2ff645c301eb70f73998e51af
                                                  • Instruction ID: fd49b9ecd1bde712457a370e29f6454014d695191750da2572ea05eb59ca54ea
                                                  • Opcode Fuzzy Hash: 0942b979129ab3af1949410a09b605f7c661f2e2ff645c301eb70f73998e51af
                                                  • Instruction Fuzzy Hash: 9E21F6BA4042496FD224D724DC84FEBB3DDEFE8310F45492DF69857140EBB46A46CB92
                                                  Function 10026C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026C36
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026C48
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 10026C65
                                                  • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 10026C76
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10026C93
                                                  • CloseHandle.KERNEL32(00000000), ref: 10026C9A
                                                  • LocalFree.KERNEL32(?), ref: 10026CCA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateDirectoryFreeHandleLocalPointerSystemWritelstrcat
                                                  • String ID: p
                                                  • API String ID: 3379061965-2181537457
                                                  • Opcode ID: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                  • Instruction ID: 60c71b90a0802acaa0e5dbf25da7476a72f7519069fb5f0452f7d82c481299c6
                                                  • Opcode Fuzzy Hash: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                  • Instruction Fuzzy Hash: 8621DE75244305ABE310DF58CC85FDBB7E8FBC8704F044A1DF68996190D774A608CBA2
                                                  Function 100291D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56threadprocessinjectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                    • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 100291FA
                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 1002920B
                                                  • OpenThread.KERNEL32(001F03FF,00000000,?,?,?,00000000,0000001C,00000004,00000000), ref: 10029240
                                                  • SuspendThread.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029245
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029248
                                                  • Thread32Next.KERNEL32(00000000,?), ref: 10029254
                                                  • CloseHandle.KERNEL32(00000000,00000000,0000001C,00000004,00000000), ref: 10029260
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextSnapshotSuspendTokenToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 3882456823-2896544425
                                                  • Opcode ID: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                  • Instruction ID: 0dba8d27cde3c0ec8bc65889917dbe9669003c362c892a02e3719d3f6e3c27b7
                                                  • Opcode Fuzzy Hash: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                  • Instruction Fuzzy Hash: A201A135201314BFE600DB559C81FAFB3E8FFC5650F854919FA4457280E771AD08CBA6
                                                  Function 10024B40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B94
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BA8
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BBB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeMemory$InformationQuerySession
                                                  • String ID: Console$ICA$RDP
                                                  • API String ID: 2964284127-2419630658
                                                  • Opcode ID: 801d06fd808deb32adaf04dd55d1acd891187c1d98a4c4a9c9149a91bf9eef73
                                                  • Instruction ID: 0001bdd9fd8658d2e899755531ac517774755b07b19ae12f8ae691ec09599144
                                                  • Opcode Fuzzy Hash: 801d06fd808deb32adaf04dd55d1acd891187c1d98a4c4a9c9149a91bf9eef73
                                                  • Instruction Fuzzy Hash: A10128B6618671678504EB5CBC419EBB2F8EB90A55F49443EF944D7200E630ED1CCBF6
                                                  Function 1002ADF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 52registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,?), ref: 1002AE32
                                                  • RegQueryValueExA.ADVAPI32(00000050,Favorites,00000000,00000000,00000000,00000050), ref: 1002AE53
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002AE5E
                                                  • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AE6B
                                                    • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                    • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                    • Part of subcall function 1002AB10: FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                  • LocalReAlloc.KERNEL32(?,00000001,00000042), ref: 1002AEA0
                                                  Strings
                                                  • P, xrefs: 1002AE18
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 1002AE28
                                                  • Favorites, xrefs: 1002AE4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocallstrcat$CloseFileFindFirstOpenQueryValue
                                                  • String ID: Favorites$P$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 3779601296-2418616894
                                                  • Opcode ID: d7729a247b4284a55a849c53e1d99578fd815a4d8100352e55383c708fc5584b
                                                  • Instruction ID: fd56b62a4ffb6e35bb703918516ba2f5bc7815b375f464fe2affdf5f1bbbd1a9
                                                  • Opcode Fuzzy Hash: d7729a247b4284a55a849c53e1d99578fd815a4d8100352e55383c708fc5584b
                                                  • Instruction Fuzzy Hash: BF1191B4204312FFE300DF24CC85F9B7BA5FB88704F504E1DF658A26A1D7B8A4198B62
                                                  Function 10029150 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46threadprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                    • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 10029177
                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 10029184
                                                  • Thread32Next.KERNEL32(00000000,0000001C), ref: 1002919F
                                                  • OpenThread.KERNEL32(001F03FF,00000000,?,00000004,00000000), ref: 100291B2
                                                  • ResumeThread.KERNEL32(00000000), ref: 100291BB
                                                  • CloseHandle.KERNEL32(00000000), ref: 100291C2
                                                  • CloseHandle.KERNEL32(00000000,00000004,00000000), ref: 100291C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextResumeSnapshotTokenToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2312015761-2896544425
                                                  • Opcode ID: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                  • Instruction ID: 5baa37ad70a989ad156aa77d6f180d112f87292081aecf7063da644eb0796895
                                                  • Opcode Fuzzy Hash: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                  • Instruction Fuzzy Hash: 9501A935244204BFF200EBA99C86FAF77A8FF85B90F844519FA0486281D671AD058BB7
                                                  Function 100151F0 Relevance: 13.7, APIs: 9, Instructions: 212registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015221
                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 10015257
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100152AB
                                                  • malloc.MSVCRT ref: 100152EC
                                                  • malloc.MSVCRT ref: 100152F7
                                                  • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 10015381
                                                  • free.MSVCRT ref: 10015418
                                                  • free.MSVCRT ref: 1001541F
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10015428
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocalfreemalloc$EnumInfoOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 1291067549-0
                                                  • Opcode ID: 223ba89da2e7258f0a281b455369526f05dc9daf1ee0305a9c4ad9c3c2095615
                                                  • Instruction ID: bf3e5857093f2ce02f48be4dfb8f04d396de7b56441170d6bdfe1fa702288673
                                                  • Opcode Fuzzy Hash: 223ba89da2e7258f0a281b455369526f05dc9daf1ee0305a9c4ad9c3c2095615
                                                  • Instruction Fuzzy Hash: FA71C0716083059FD718CF28C880B6BBBE9FBC8745F484A1DF9869B350DA71EA44CB52
                                                  Function 100183C0 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateRectRgnIndirect.GDI32(?), ref: 10018486
                                                  • GetRegionData.GDI32(00000000,00000000,00000000), ref: 1001851A
                                                  • #823.MFC42(00000000,?,?,?,?,?,?,00000001,?,?,?), ref: 1001851F
                                                  • GetRegionData.GDI32(00000000,00000000,00000000), ref: 10018530
                                                  • DeleteObject.GDI32(?), ref: 10018537
                                                  • #825.MFC42(00000000,00000000,00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,10016B8A), ref: 10018547
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DataRegion$#823#825CreateDeleteIndirectObjectRect
                                                  • String ID:
                                                  • API String ID: 643377033-0
                                                  • Opcode ID: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                  • Instruction ID: 3140f93dabf97cb7bd3e409eff6f417ecd497d9d1c0577791c74c40de05a7771
                                                  • Opcode Fuzzy Hash: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                  • Instruction Fuzzy Hash: F85181B56087028BD314DF29D880A5BB7E6FFC8710F15492DF48ACB311EB74EA458B56
                                                  Function 10029E80 Relevance: 13.6, APIs: 9, Instructions: 85stringmemorywindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextA.USER32(?,?,000003FF), ref: 10029EA4
                                                  • IsWindowVisible.USER32 ref: 10029EB3
                                                  • lstrlenA.KERNEL32(?), ref: 10029ECC
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029EDF
                                                  • LocalSize.KERNEL32 ref: 10029EEF
                                                  • lstrlenA.KERNEL32(?), ref: 10029F0D
                                                  • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10029F19
                                                  • GetWindowThreadProcessId.USER32(?), ref: 10029F26
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000042), ref: 10029F34
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                  • String ID:
                                                  • API String ID: 925664022-0
                                                  • Opcode ID: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                  • Instruction ID: add1fb3533e99334b1788f801bc1a9e543b8ff74f7df4c1f04976087df14b6d6
                                                  • Opcode Fuzzy Hash: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                  • Instruction Fuzzy Hash: 2621027A2003469BE750DF24CC84BEB77A8FB84750F84452DFE49A3240DA35A80AC771
                                                  Function 10016530 Relevance: 13.6, APIs: 9, Instructions: 77synchronizationkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001656D
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10016578
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016589
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016594
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165A3
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165AC
                                                  • ReleaseDC.USER32(00000000,?), ref: 100165B7
                                                    • Part of subcall function 100167E0: sprintf.MSVCRT ref: 1001682F
                                                    • Part of subcall function 100167E0: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 1001686F
                                                    • Part of subcall function 100167E0: RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 1001688E
                                                    • Part of subcall function 100167E0: RegCloseKey.ADVAPI32(?), ref: 1001689D
                                                  • BlockInput.USER32(00000000,?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165CD
                                                  • DestroyCursor.USER32(00000000), ref: 1001660A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close$ExchangeHandleInterlockedObjectSingleWait$BlockCursorDestroyInputOpenReleaseValuesprintf
                                                  • String ID:
                                                  • API String ID: 1142494416-0
                                                  • Opcode ID: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                  • Instruction ID: d4b191a7be4f08d6e559449bda8c86e8365c3d0bd4d75666bcc753f4c4a699e3
                                                  • Opcode Fuzzy Hash: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                  • Instruction Fuzzy Hash: 00212C752407049BE614DB64CC81BD6B3E8FF88720F154A1DF26A972D0CBB5B901CB91
                                                  Function 1002C5D0 Relevance: 13.6, APIs: 9, Instructions: 66threadstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                  • GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                  • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                  • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                  • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                  • lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                  • SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                  • CloseDesktop.USER32(00000000), ref: 1002C680
                                                  • CloseDesktop.USER32(00000000), ref: 1002C683
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                  • String ID:
                                                  • API String ID: 3718465862-0
                                                  • Opcode ID: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                  • Instruction ID: 7203b97fb3658a15e50f8a55408f95546fea7e3c6eec87968affc7e345bb74f4
                                                  • Opcode Fuzzy Hash: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                  • Instruction Fuzzy Hash: B811EB751043196BF310DF68DC4AFDB77D8FB84700F010D19F64592191EBB4A549C7A6
                                                  Function 10010EF0 Relevance: 13.6, APIs: 9, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F11
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F1F
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F2C
                                                  • #541.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F39
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F46
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F53
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F60
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F6D
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F90
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110F5
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110FD
                                                    • Part of subcall function 100110D0: #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                    • Part of subcall function 100110D0: #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                    • Part of subcall function 100110D0: PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                    • Part of subcall function 100110D0: #860.MFC42(00000000), ref: 1001117C
                                                    • Part of subcall function 100110D0: PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                    • Part of subcall function 100110D0: PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                    • Part of subcall function 100110D0: _splitpath.MSVCRT ref: 100111C5
                                                    • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                    • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                    • Part of subcall function 100110D0: #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #540$#860$#2614Path$Args$#541#6143#6876RemoveSpacesUnquote_splitpath
                                                  • String ID:
                                                  • API String ID: 882339912-0
                                                  • Opcode ID: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                  • Instruction ID: b1f006ec1c09e58242ba318f60969b2c11d84897468487acfae0c13bde89da3f
                                                  • Opcode Fuzzy Hash: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                  • Instruction Fuzzy Hash: DB213B780057818ED354CF59D642B6AFBE4FF94B10F40491DE4DA83682DB74B508CBB2
                                                  Function 10017C20 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10017C2A
                                                  • GetClipboardData.USER32(00000001), ref: 10017C36
                                                  • CloseClipboard.USER32 ref: 10017C46
                                                  • GlobalSize.KERNEL32(00000000), ref: 10017C55
                                                  • GlobalLock.KERNEL32(00000000), ref: 10017C5F
                                                  • #823.MFC42(00000001), ref: 10017C68
                                                  • GlobalUnlock.KERNEL32(?), ref: 10017C8F
                                                  • CloseClipboard.USER32 ref: 10017C95
                                                  • #825.MFC42(00000000), ref: 10017CA7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                  • String ID:
                                                  • API String ID: 15072309-0
                                                  • Opcode ID: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                  • Instruction ID: 9d338dc67493be82bb18043d65382f3dd730fbe0f51d25364675624cb99999ab
                                                  • Opcode Fuzzy Hash: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                  • Instruction Fuzzy Hash: E001D6395046246FE710EB649C89ADB37A8FF44651F490228FD0ED7250EB75E904C6F2
                                                  Function 10016F10 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10016F1A
                                                  • GetClipboardData.USER32(00000001), ref: 10016F26
                                                  • CloseClipboard.USER32 ref: 10016F36
                                                  • GlobalSize.KERNEL32(00000000), ref: 10016F45
                                                  • GlobalLock.KERNEL32(00000000), ref: 10016F4F
                                                  • #823.MFC42(00000001), ref: 10016F58
                                                  • GlobalUnlock.KERNEL32(?), ref: 10016F7F
                                                  • CloseClipboard.USER32 ref: 10016F85
                                                  • #825.MFC42(00000000), ref: 10016F97
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                  • String ID:
                                                  • API String ID: 15072309-0
                                                  • Opcode ID: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                  • Instruction ID: 7427716a2ac4119ad4da49d555f0140185f668cd49e7d982ef33821d485bf08e
                                                  • Opcode Fuzzy Hash: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                  • Instruction Fuzzy Hash: 2401DB395042246FE710EB64AC89AEB3798FF44701F484229FD0ED7200EB759904C6F1
                                                  Function 10022E40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146networksynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(1012C508), ref: 10022E6A
                                                  • LeaveCriticalSection.KERNEL32(1012C508), ref: 10022E82
                                                    • Part of subcall function 10022D10: _strnicmp.MSVCRT ref: 10022D24
                                                  • send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                  • send.WS2_32(?,?,00000000,00000000), ref: 10022F94
                                                  • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                    • Part of subcall function 10022C80: atoi.MSVCRT(?), ref: 10022CB9
                                                    • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                    • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                    • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                    • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                    • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSectioninet_addrsend$CreateEnterLeaveObjectSingleThreadWait_strnicmpatoiclosesocketconnecthtonssetsockoptsocket
                                                  • String ID: HTTP/1.0 200 OK
                                                  • API String ID: 599367761-2989790534
                                                  • Opcode ID: 06f7fbf010196f44f873a5443e839498c239146a060f057b8ecad9d25104cda5
                                                  • Instruction ID: 47c87ebbf93a50924a3e250a8357829057b2db1369e31752acfc823b29761746
                                                  • Opcode Fuzzy Hash: 06f7fbf010196f44f873a5443e839498c239146a060f057b8ecad9d25104cda5
                                                  • Instruction Fuzzy Hash: 8D41E135604205ABD760CBA4ED84FAB77E8EB84354F504B28F94893284DA34ED45CBA2
                                                  Function 1002C070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1002C0AA
                                                  • lstrlenA.KERNEL32 ref: 1002C0C9
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 1002C0D2
                                                  • CloseHandle.KERNEL32(00000000), ref: 1002C0D9
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFileLibraryLoadProc$CloseCreateHandleWritelstrlen
                                                  • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                  • API String ID: 46210954-946259135
                                                  • Opcode ID: af8c7899827bfc83741b1d3830a02ff880f794bc520886e4f1cc45e81e84da78
                                                  • Instruction ID: adb6deec904987800fe85f6b3ecb473ff369c94e7e2e7fdca2e69a06bd759cd3
                                                  • Opcode Fuzzy Hash: af8c7899827bfc83741b1d3830a02ff880f794bc520886e4f1cc45e81e84da78
                                                  • Instruction Fuzzy Hash: D7116375104310BFE310DF18DC95BEBBBE9FB89710F444929FA48A72A1DB745909CBA2
                                                  Function 10017480 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 24libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(dwmapi.dll,10098B10,1001767F), ref: 10017486
                                                  • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 1001749F
                                                  • GetProcAddress.KERNEL32(00000000,DwmEnableComposition), ref: 100174AB
                                                    • Part of subcall function 10017460: #102.DWMAPI(00000000,100174B6), ref: 1001746B
                                                  • FreeLibrary.KERNEL32(00000000), ref: 100174B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryProc$#102FreeLoad
                                                  • String ID: DwmEnableComposition$DwmIsCompositionEnabled$dwmapi.dll
                                                  • API String ID: 921056788-1849796216
                                                  • Opcode ID: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                  • Instruction ID: ec8973c85b4295611fe6e660086daf7ad590bfada4181087f49f392a1ed51eb0
                                                  • Opcode Fuzzy Hash: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                  • Instruction Fuzzy Hash: 29E0123A502D3A679251F72D5C14DCF2AA8FF867E13464251FD08F6114DB24DD4289B6
                                                  Function 10004CF0 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _CxxThrowException.MSVCRT(?,100F59A0), ref: 10004DC3
                                                  • #823.MFC42(10004C7C,?,00000004,00000000,00000004,10004C8B,00000004,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10004E37
                                                  • #823.MFC42(00000000,?,?,?,00000000,10097CF0,000000FF,76A923A0,10004C8B,?,00000000), ref: 10004E48
                                                  • #825.MFC42(00000000,00000000,?,?,?), ref: 10004EAE
                                                  • #825.MFC42(00000000,00000000,00000000,?,?,?), ref: 10004EB4
                                                  • _CxxThrowException.MSVCRT(?), ref: 10004ED1
                                                  • #825.MFC42(?,?,?,?,?,00000000,10097CF0,000000FF,76A923A0,10004C8B,?,00000000), ref: 10004EDE
                                                  • #825.MFC42(10097CF0,?,?,?,?,00000000,10097CF0,000000FF,76A923A0,10004C8B,?,00000000), ref: 10004EEE
                                                    • Part of subcall function 10004FA0: _ftol.MSVCRT ref: 10004FDF
                                                    • Part of subcall function 10004FA0: #823.MFC42(00000000), ref: 10004FE9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$#823$ExceptionThrow$_ftol
                                                  • String ID:
                                                  • API String ID: 3722084872-0
                                                  • Opcode ID: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                  • Instruction ID: a565fb7e3d51c96f679dbc9a240e4393d41c51425d2560a9ab3a27c4c36f4040
                                                  • Opcode Fuzzy Hash: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                  • Instruction Fuzzy Hash: 9F51B4B5A002099BEF00DF64C881FEEB7B9EF48680F014029F905AB345DF34B9058B95
                                                  Function 10018DF0 Relevance: 12.2, APIs: 8, Instructions: 169sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                    • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                    • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                  • GetCursorPos.USER32(?), ref: 10018E2A
                                                  • GetCursorInfo.USER32(?), ref: 10018E4B
                                                  • DestroyCursor.USER32(?), ref: 10018E74
                                                  • GetTickCount.KERNEL32 ref: 10018F68
                                                  • Sleep.KERNEL32(00000001), ref: 10018F7D
                                                  • GetTickCount.KERNEL32 ref: 10018F7F
                                                  • GetTickCount.KERNEL32 ref: 10018F8C
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10018F90
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
                                                  • String ID:
                                                  • API String ID: 3294368536-0
                                                  • Opcode ID: 8e59e283545c54a72f066a9ea5b12339734f7a36fcbf472c7d2c7538942f2430
                                                  • Instruction ID: e3fc8f9c6b5c6e41deacf068d5df81eeb71275da08ab79c8efc0fdef42278ccd
                                                  • Opcode Fuzzy Hash: 8e59e283545c54a72f066a9ea5b12339734f7a36fcbf472c7d2c7538942f2430
                                                  • Instruction Fuzzy Hash: E45181752007049FD724DF28C884A6AB3E6FFC8350B544A2DF586CB651D730FA86CB61
                                                  Function 10015040 Relevance: 12.2, APIs: 8, Instructions: 159registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015071
                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 100150A7
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100150E6
                                                  • #823.MFC42(?,?,?,?,00000000,000F003F,?), ref: 10015123
                                                  • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 10015178
                                                  • #825.MFC42(00000000), ref: 100151BD
                                                  • RegCloseKey.ADVAPI32(?), ref: 100151CA
                                                  • LocalReAlloc.KERNEL32(?,?,00000042), ref: 100151D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocal$#823#825CloseEnumInfoOpenQuery
                                                  • String ID:
                                                  • API String ID: 601778281-0
                                                  • Opcode ID: 386ab23e73b43c236b7575fa9931372d53038780aebd8f4f87453a7edb17ef88
                                                  • Instruction ID: 600140b6dcf1fc6ac8c34a45a6bb1d45401c0701896d249da74092682c530594
                                                  • Opcode Fuzzy Hash: 386ab23e73b43c236b7575fa9931372d53038780aebd8f4f87453a7edb17ef88
                                                  • Instruction Fuzzy Hash: 91517171604305AFD714DF28CC91B6BB7E9FB88610F584A2DF949DB380D635ED058BA2
                                                  Function 1000A3B0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A40F
                                                  • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A417
                                                  • memmove.MSVCRT(3B4208C4,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A439
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A44B
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A458
                                                  • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?,?,00000000,00000065), ref: 1000A460
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A497
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(3B4208C4,00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?), ref: 1000A4D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@memmove
                                                  • String ID:
                                                  • API String ID: 1074130261-0
                                                  • Opcode ID: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                  • Instruction ID: 8f937d4beb23756cef0cc620a4d7fe7e7cbc97e07a2ad92db45a8aecb1b163fa
                                                  • Opcode Fuzzy Hash: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                  • Instruction Fuzzy Hash: B141D1396407549FD710CF19C8C869ABBE5FBC9BA0F44862EEC5A87351C7759D40CB40
                                                  Function 10022D10 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _strnicmp
                                                  • String ID: CONNECT $GET $HEAD $POST
                                                  • API String ID: 2635805826-4031508290
                                                  • Opcode ID: ffa05f026e64c220542134937b36d1f221770114ae898298134b10750bd5803a
                                                  • Instruction ID: 3ff6fee9492b0cb01d11fd10cf410978b70b15b799f9d86135a7a06740ef88c0
                                                  • Opcode Fuzzy Hash: ffa05f026e64c220542134937b36d1f221770114ae898298134b10750bd5803a
                                                  • Instruction Fuzzy Hash: CB019E31300211ABE700DA6CFC00BCE73D9FFC5716F860466F944DB280E3B898058B95
                                                  Function 10003870 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf$floor
                                                  • String ID: %.0f
                                                  • API String ID: 389794084-4293663076
                                                  • Opcode ID: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                  • Instruction ID: a274ceac6ce3522e1593489d29bd3f77ae1b15863641420014f16e45a4b04ce6
                                                  • Opcode Fuzzy Hash: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                  • Instruction Fuzzy Hash: F0417CB1A04615A7F3028B54ED9879777ACFFC23D6F044261FE8892294DB21D974C7E2
                                                  Function 100252E0 Relevance: 10.6, APIs: 7, Instructions: 115stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mbstowcs.MSVCRT ref: 1002533C
                                                  • NetUserGetLocalGroups.NETAPI32(00000000,?,00000000,00000001,?,000000FF,?,?,000000FF,75920440,1012C830), ref: 10025362
                                                  • wcslen.MSVCRT ref: 100253A2
                                                  • malloc.MSVCRT ref: 100253AA
                                                  • wsprintfA.USER32 ref: 100253BC
                                                  • strncpy.MSVCRT ref: 100253CD
                                                  • free.MSVCRT ref: 100253D4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: GroupsLocalUserfreemallocmbstowcsstrncpywcslenwsprintf
                                                  • String ID:
                                                  • API String ID: 4292357205-0
                                                  • Opcode ID: 5fe22eb28088a4c30f4e6ad33e5a5ec577a7f61eaabd0a6bc23e4307b16f7926
                                                  • Instruction ID: 198c18e4199f8e378d16dff6c1d29f30758d95d01a74b94e96b917cc37e4a3c5
                                                  • Opcode Fuzzy Hash: 5fe22eb28088a4c30f4e6ad33e5a5ec577a7f61eaabd0a6bc23e4307b16f7926
                                                  • Instruction Fuzzy Hash: CC3145741083626FD315DF24DC809EBBBE8FB88315F400A2CF99AC3281DB71DA458B96
                                                  Function 1002CA20 Relevance: 10.6, APIs: 7, Instructions: 108networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 1002CAA5
                                                  • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAB9
                                                  • recv.WS2_32(?,?,00002000,00000000), ref: 1002CAD2
                                                  • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAFA
                                                  • recv.WS2_32(?,?,00002000,00000000), ref: 1002CB13
                                                  • closesocket.WS2_32 ref: 1002CB49
                                                  • closesocket.WS2_32(?), ref: 1002CB4C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: closesocketrecv$select
                                                  • String ID:
                                                  • API String ID: 2008065562-0
                                                  • Opcode ID: 02298cda23435bc61be9cfb09b1083414a9cd937f3c938150b9f4154a4cffdb6
                                                  • Instruction ID: fff26b3238a694f0a4db4817269bd6ab97932eb903be9958e3dfeeb9e780b3a5
                                                  • Opcode Fuzzy Hash: 02298cda23435bc61be9cfb09b1083414a9cd937f3c938150b9f4154a4cffdb6
                                                  • Instruction Fuzzy Hash: 1E31C67560835E6BE335CEA4DC86FEBB7DCEB40780F810869EA45D6182D774E90487A3
                                                  Function 10016640 Relevance: 10.6, APIs: 7, Instructions: 106synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                  • #823.MFC42(000001F0), ref: 100166B0
                                                  • #823.MFC42(000001F0), ref: 100166E1
                                                    • Part of subcall function 10017D20: LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                  • #823.MFC42(000001F0), ref: 10016708
                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$ExchangeInterlocked$CloseCursorHandleLoadObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 3589420723-0
                                                  • Opcode ID: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                  • Instruction ID: 712e268baaa8dd016a258d9f4d26cd7f4b70a444460d0a0c6ff612943e0d7f80
                                                  • Opcode Fuzzy Hash: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                  • Instruction Fuzzy Hash: C331B274644704ABE720CB348C92FAA77E5FB4C714F000A2DF69A9A2C1DB75F580C752
                                                  Function 1002A000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105sleeplibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 1002A022
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002A029
                                                  • _ftol.MSVCRT ref: 1002A12D
                                                  • Sleep.KERNEL32(000003E8), ref: 1002A15E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProcSleep_ftol
                                                  • String ID: NtQuerySystemInformation$ntdll
                                                  • API String ID: 720640769-3593917365
                                                  • Opcode ID: 71556687bafdae8aacb74c1e519e718df57c186dcd0d74c8623742416fd372e6
                                                  • Instruction ID: da8c363a9b2f8ca5d42d7e39bc57195bec9240f7517bf0137091d1592b03c1a3
                                                  • Opcode Fuzzy Hash: 71556687bafdae8aacb74c1e519e718df57c186dcd0d74c8623742416fd372e6
                                                  • Instruction Fuzzy Hash: CF41A5B5A083059FE310DF65DC85A8BB7E8FBC8750F418E2DF589E2250EF3098548B92
                                                  Function 10009430 Relevance: 10.6, APIs: 7, Instructions: 101stringfilememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000947B
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF), ref: 10009494
                                                  • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094B7
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094C0
                                                  • LocalAlloc.KERNEL32(00000040,-0000000A,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094CE
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094FC
                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009524
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                                                  • String ID:
                                                  • API String ID: 2793549963-0
                                                  • Opcode ID: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                  • Instruction ID: 308c1cce03677ded8cce1838fe27e550398bb3d797b3be4da8be1d4d23af97c4
                                                  • Opcode Fuzzy Hash: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                  • Instruction Fuzzy Hash: 0D3108327002145BD714DE78DC95B9AB2D6FB88621F484639FE1AD73C0DAB5A805C660
                                                  Function 100076F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,?,?), ref: 1000771C
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,?), ref: 10007792
                                                  • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,?), ref: 100077A7
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 100077C4
                                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 100077CB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateFolderHandlePathPointerSpecialWrite
                                                  • String ID: p
                                                  • API String ID: 2004626570-2181537457
                                                  • Opcode ID: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                  • Instruction ID: 1e1907684de1c8bd89ee597228f05c738f3ecf463b7a0146f2a5c42f798544d2
                                                  • Opcode Fuzzy Hash: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                  • Instruction Fuzzy Hash: 6331D7756447045BD318CA28CC45FABB796FBC8320F084B2DF95A972D0DAB49E05C751
                                                  Function 10004A60 Relevance: 10.6, APIs: 7, Instructions: 98networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                    • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                    • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                    • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                    • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                  • ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                  • socket.WS2_32 ref: 10004A86
                                                  • gethostbyname.WS2_32(?), ref: 10004AA6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                                                  • String ID:
                                                  • API String ID: 513860241-0
                                                  • Opcode ID: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                  • Instruction ID: 92d35607f8033a3118f145dcfa9d89b9a917cf27699ac872a687df5e96afb08c
                                                  • Opcode Fuzzy Hash: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                  • Instruction Fuzzy Hash: 0731CEB5244301AFE310DF28CC85FDB77E4FF85318F004A1DF2999A280DBB1A4888B66
                                                  Function 10011670 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #939.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116CA
                                                  • #800.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116DB
                                                  • #6282.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116ED
                                                  • #535.MFC42(00000030,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116F9
                                                  • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 1001173E
                                                  • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011756
                                                    • Part of subcall function 10011790: #540.MFC42 ref: 100117B7
                                                    • Part of subcall function 10011790: #2818.MFC42(00000000, %c%s,?,?), ref: 100117E0
                                                    • Part of subcall function 10011790: #2763.MFC42(00000020), ref: 100117FD
                                                    • Part of subcall function 10011790: #537.MFC42(100FACDC,00000000,00000020), ref: 10011815
                                                    • Part of subcall function 10011790: #537.MFC42(100FB4F0,100FACDC,00000000,00000020), ref: 1001182A
                                                    • Part of subcall function 10011790: #922.MFC42(?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001183B
                                                    • Part of subcall function 10011790: #922.MFC42(?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001184C
                                                    • Part of subcall function 10011790: #939.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001185B
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011869
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011877
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011885
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011893
                                                    • Part of subcall function 10011790: #535.MFC42(00000000), ref: 100118F0
                                                    • Part of subcall function 10011790: #800.MFC42(00000000), ref: 10011906
                                                  • #536.MFC42(00000000,00000001,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011766
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#535$#537#922#939$#2763#2818#536#540#6282
                                                  • String ID:
                                                  • API String ID: 37758464-0
                                                  • Opcode ID: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                  • Instruction ID: a387ab11639bd89c7a433ae959a7e4b16c1de711adbd724f1b563dcecc6c226d
                                                  • Opcode Fuzzy Hash: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                  • Instruction Fuzzy Hash: 4F31B036304B509BC768DB19C980A5EB3E5FBC8660F844A2DF15A9B781CA34FD86CB51
                                                  Function 100178C0 Relevance: 10.6, APIs: 7, Instructions: 84keyboardwindowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(0000000A), ref: 1001790C
                                                  • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1001792A
                                                  • PostMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1001793D
                                                  • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10017959
                                                  • PostMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1001796C
                                                    • Part of subcall function 100172E0: WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                    • Part of subcall function 100172E0: CloseHandle.KERNEL32(?), ref: 10017316
                                                    • Part of subcall function 100172E0: #823.MFC42(00000110), ref: 1001733A
                                                  • BlockInput.USER32(?), ref: 1001797E
                                                    • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000000), ref: 10017CD7
                                                    • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000001), ref: 10017CE0
                                                  • BlockInput.USER32(00000000), ref: 100179B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: System$BlockInfoInputMessageMetricsParametersPost$#823CloseHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 3920574744-0
                                                  • Opcode ID: fafef813ed8a9c147f562dd6c35f089270f354d0bfb6d6f79d4d72cdd761d5b8
                                                  • Instruction ID: 7986ccb564aaef6e7677450f4a479ce91f482bd9a58eabc106b72063fd66a517
                                                  • Opcode Fuzzy Hash: fafef813ed8a9c147f562dd6c35f089270f354d0bfb6d6f79d4d72cdd761d5b8
                                                  • Instruction Fuzzy Hash: 9221083438034425DA14EA340C83FE92776EF42750F101538B75E6F1C3CDB5E88A8628
                                                  Function 10025870 Relevance: 10.6, APIs: 7, Instructions: 78stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025889
                                                  • NetUserGetInfo.NETAPI32(00000000,00000000,00000003,?), ref: 100258B8
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                    • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                  • NetUserSetInfo.NETAPI32(00000000,00000000,00000003,?,?,?), ref: 100258ED
                                                  • #825.MFC42(00000000,00000000,00000000,00000003,?,?,?), ref: 100258F5
                                                  • #825.MFC42(?,00000000,00000000,00000000,00000003,?,?,?), ref: 10025902
                                                  • NetApiBufferFree.NETAPI32(?), ref: 10025934
                                                  • LocalFree.KERNEL32(?), ref: 1002593E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825ByteCharFreeInfoMultiUserWide$#823BufferLocallstrlen
                                                  • String ID:
                                                  • API String ID: 1574401665-0
                                                  • Opcode ID: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                  • Instruction ID: db542bc96f26d639f55d823ab568073f523843db7179ccf286ad23694a425397
                                                  • Opcode Fuzzy Hash: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                  • Instruction Fuzzy Hash: 08217FB5608301AFD710DF68EC85E5BBAECEF94604F44042DF58597243EA74E94C8BA2
                                                  Function 100234D0 Relevance: 10.6, APIs: 7, Instructions: 67networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • htons.WS2_32 ref: 100234F3
                                                  • inet_addr.WS2_32(?), ref: 10023509
                                                  • inet_addr.WS2_32(?), ref: 10023527
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                  • setsockopt.WS2_32 ref: 1002355E
                                                  • connect.WS2_32(?,?,00000010), ref: 1002356E
                                                  • closesocket.WS2_32 ref: 1002357C
                                                    • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                    • Part of subcall function 100232C0: inet_ntoa.WS2_32(00000000), ref: 100232D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: inet_addr$closesocketconnectgethostbynamehtonsinet_ntoasetsockoptsocket
                                                  • String ID:
                                                  • API String ID: 1372979013-0
                                                  • Opcode ID: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                  • Instruction ID: 004383c3fc2686cea437f660dfe81f0b064d2de5a6b80219a309b61b1ccdcd83
                                                  • Opcode Fuzzy Hash: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                  • Instruction Fuzzy Hash: 8B11AEB4904711ABE310DF289C85AABB7E8FF84360F548B1DF498D22D0E770D9448B92
                                                  Function 10017200 Relevance: 10.6, APIs: 7, Instructions: 66synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001723D
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10017248
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017259
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017264
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017273
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 1001727C
                                                  • DestroyCursor.USER32(?), ref: 100172AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
                                                  • String ID:
                                                  • API String ID: 2236516186-0
                                                  • Opcode ID: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                  • Instruction ID: ef58890a3e63d9af94dba857a36f85de578af6b60b018718c6a648def18a2e7e
                                                  • Opcode Fuzzy Hash: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                  • Instruction Fuzzy Hash: 12210B752007159FD224DB69CC80BD6B3E8FB89720F150B1EE6AA97390CBB5B8018B91
                                                  Function 100124A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 100124D5
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 100124E3
                                                  • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 10012522
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 1001252D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                                                  • String ID: closesocket$ws2_32.dll
                                                  • API String ID: 1041861973-181964208
                                                  • Opcode ID: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                  • Instruction ID: 84a0c60808f6a2c03e40c6969a83a2f887d69962a4d8d2a11b52e44a2cc86ffd
                                                  • Opcode Fuzzy Hash: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                  • Instruction Fuzzy Hash: B0119EB55047459BC300DF28DC44B8AFBE8FF44760F400B29F86993390D77899548AA1
                                                  Function 1002CDD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53sleepthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                  • wsprintfA.USER32 ref: 1002CE0C
                                                  • closesocket.WS2_32(00000000), ref: 1002CE24
                                                  • TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                  • CloseHandle.KERNEL32(1012E204), ref: 1002CE63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleSleepTerminateThreadclosesocketwsprintf
                                                  • String ID: nsocket-di:%d
                                                  • API String ID: 1790861966-355283319
                                                  • Opcode ID: 5832732653d55447b16368397a97016988137fce6ab7780cdf6cecfaa7e6b3e3
                                                  • Instruction ID: 8743c39e8dca7be7b29396b0ca2f4e57eafff57f3041ee6da424d4d59b6ae13d
                                                  • Opcode Fuzzy Hash: 5832732653d55447b16368397a97016988137fce6ab7780cdf6cecfaa7e6b3e3
                                                  • Instruction Fuzzy Hash: 4F119A39600236EBD710DB28DCC4F823BE9F762354F658229E424C36B4D238E8568F90
                                                  Function 10026E00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32 ref: 10026E26
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026E38
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10026E55
                                                  • CloseHandle.KERNEL32(00000000), ref: 10026E7D
                                                  • LocalFree.KERNEL32(?), ref: 10026E96
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateDirectoryFileFreeHandleLocalSystemlstrcat
                                                  • String ID: p
                                                  • API String ID: 3845662661-2181537457
                                                  • Opcode ID: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                  • Instruction ID: 0d636d5cf498f0e200fc51c94bb837cf85bd2e6de4a3745d098e481c266d8e14
                                                  • Opcode Fuzzy Hash: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                  • Instruction Fuzzy Hash: 10018074504301ABE720DF28DC89BDB77E4BB88714F448E1CF299961D0D7B8A548CBA2
                                                  Function 1000BB20 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39librarystringloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(user32.dll), ref: 1000BB2D
                                                  • GetProcAddress.KERNEL32(00000000,GetWindowTextA), ref: 1000BB3B
                                                  • strstr.MSVCRT ref: 1000BB74
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1000BB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProcstrstr
                                                  • String ID: GetWindowTextA$user32.dll
                                                  • API String ID: 1147820842-647680576
                                                  • Opcode ID: 28f36ffa30f0b3a5c6eb8c5afc7a3e3c44126d1935c80ebebe4283bddbf57439
                                                  • Instruction ID: 20ad0ba14054967af191ad90f6f60be9464bb0ccc7b687a2d9e76176f1de83c1
                                                  • Opcode Fuzzy Hash: 28f36ffa30f0b3a5c6eb8c5afc7a3e3c44126d1935c80ebebe4283bddbf57439
                                                  • Instruction Fuzzy Hash: E9F0C8395002506BF3219B2CCC84BEB7BE8FF84341F044924F94996254DBB99549C6A1
                                                  Function 1000EA00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(00000000), ref: 1000EA0F
                                                  • GetSystemMetrics.USER32(00000001), ref: 1000EA13
                                                  • ChangeDisplaySettingsA.USER32 ref: 1000EA49
                                                  • ChangeDisplaySettingsA.USER32(?,00000001), ref: 1000EA56
                                                  • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 1000EA66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ChangeDisplaySettings$MetricsSystem
                                                  • String ID:
                                                  • API String ID: 840903655-3916222277
                                                  • Opcode ID: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                  • Instruction ID: 9ef3ec576e7027de0717f9877b67978966fede7fd05d5f4f5218d1c1f9d83b39
                                                  • Opcode Fuzzy Hash: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                  • Instruction Fuzzy Hash: F3F03A31A58324AAF720DB748D45F9B7AE4BF44B48F44091DB6589A1D0E7F5A4088F93
                                                  Function 100125D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10012560: EnterCriticalSection.KERNEL32(?,?,?,1001246B,?,00000001,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 1001256B
                                                    • Part of subcall function 10012560: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 10012585
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100125F6
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012604
                                                  • FreeLibrary.KERNEL32(00000000), ref: 10012619
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                                  • String ID: 5$closesocket$ws2_32.dll
                                                  • API String ID: 2819327233-1779900740
                                                  • Opcode ID: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                  • Instruction ID: 2761632c92e94d1a980d48baebd45236be465951dd9527d8c45c8e1131a91282
                                                  • Opcode Fuzzy Hash: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                  • Instruction Fuzzy Hash: 83F0A77A100A116BD301EF1C9C84DDB77A8FF84752F440519FE4496201DB34E919C7B2
                                                  Function 100246B0 Relevance: 10.2, APIs: 8, Instructions: 199sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$atoi$CloseHandle
                                                  • String ID:
                                                  • API String ID: 3951340052-0
                                                  • Opcode ID: 3ef6719107b306bb00013df9968c04d9cd443939ce117f6fe5ea7c2255db9f08
                                                  • Instruction ID: 3c75a0318a0e557b236c101e263fdd7ca74ebc3cd29345a93edf304c9ba0fcb6
                                                  • Opcode Fuzzy Hash: 3ef6719107b306bb00013df9968c04d9cd443939ce117f6fe5ea7c2255db9f08
                                                  • Instruction Fuzzy Hash: B941E63B31416016C554F729BC42FBFA764FBE5722F81442FF1869A281CE206C9B83B9
                                                  Function 10018570 Relevance: 9.1, APIs: 6, Instructions: 129windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDIBSection.GDI32(?,00000000,00000000,75FD5D50,00000000,00000000), ref: 100185E1
                                                  • SelectObject.GDI32(00000000,00000000), ref: 100185EF
                                                  • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 1001860E
                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CC0020), ref: 1001862F
                                                  • DeleteObject.GDI32(?), ref: 10018685
                                                  • free.MSVCRT ref: 10018694
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$CreateDeleteSectionSelectfree
                                                  • String ID:
                                                  • API String ID: 2595996717-0
                                                  • Opcode ID: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                  • Instruction ID: fa73614132ced6616fd7bc227f346a67f57bb193df799f847b61321046b9127f
                                                  • Opcode Fuzzy Hash: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                  • Instruction Fuzzy Hash: E34126B5600705AFD714DF68CC84E6BB7EAFB88600F14891DF98A8B390D670EE458B61
                                                  Function 100168D0 Relevance: 9.1, APIs: 6, Instructions: 121keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000000), ref: 10016966
                                                  • BlockInput.USER32(?,?,?), ref: 10016989
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169A0
                                                  • BlockInput.USER32(?,?,?), ref: 100169A9
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169C0
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BlockExchangeInputInterlocked
                                                  • String ID:
                                                  • API String ID: 3466551546-0
                                                  • Opcode ID: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                  • Instruction ID: bf2dd9b5654f157943e35733b8f3b73f0b93b8599c458bfd2c4311f32437dab4
                                                  • Opcode Fuzzy Hash: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                  • Instruction Fuzzy Hash: 3D31E33B30856157D284E738BC61EEFA755FFD9320B05892BF585DA241CA20E89683B0
                                                  Function 100244C0 Relevance: 9.1, APIs: 6, Instructions: 118stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: malloc$realloc$strstr
                                                  • String ID:
                                                  • API String ID: 686937093-0
                                                  • Opcode ID: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                  • Instruction ID: 77dd24013c4c70d5dbbb406fc0c88ef9f28fbba95e417396a5267408fea13c55
                                                  • Opcode Fuzzy Hash: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                  • Instruction Fuzzy Hash: AA3157366006114FC304CF3CAC8026AFBE5EBC9666F44067DEA89C3391DE75DD0A87A1
                                                  Function 10018880 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(?,00000058,00000000,00000000,0000005C,00000000,10017EFB,?,?,?,?,?,?,00000000), ref: 100188AB
                                                  • GetDC.USER32(00000000), ref: 10018906
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10018913
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10018926
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001892F
                                                  • DeleteObject.GDI32(00000000), ref: 10018936
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                  • String ID:
                                                  • API String ID: 1489246511-0
                                                  • Opcode ID: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                  • Instruction ID: c876030701d45069bbaf201adcf95ae34e10d61091fae5aa7b66ba3b571a8907
                                                  • Opcode Fuzzy Hash: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                  • Instruction Fuzzy Hash: 8D31C6716057018FD324CF69CCC4B66FBE6FF95308F188A6DE5498B291D770A649CB50
                                                  Function 100190D0 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(?,0000005C,00000000,00000000,00000060,00000000,10018C0A,?,?,00000001), ref: 100190FB
                                                  • GetDC.USER32(00000000), ref: 10019156
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10019163
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019176
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001917F
                                                  • DeleteObject.GDI32(00000000), ref: 10019186
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                  • String ID:
                                                  • API String ID: 1489246511-0
                                                  • Opcode ID: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                  • Instruction ID: ef3514cd601d8d145b1532123b0b9183357df65c168f27f3a63bee1d8f630a14
                                                  • Opcode Fuzzy Hash: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                  • Instruction Fuzzy Hash: 9631F3712057029FD324CF69CC88B5BFBE6FF89344F188A6DE5498B291E770A549CB90
                                                  Function 10003040 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 101stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strncmp
                                                  • String ID: false$null$true
                                                  • API String ID: 1114863663-2913297407
                                                  • Opcode ID: 29fc03d927f4990f9deee4de2075054b0a23c521322f26a7bad3f614dc9c00b1
                                                  • Instruction ID: 7167e9e769ba6135d60cc1a6496bebb708acee3502ca371ae9d67c74dee1439d
                                                  • Opcode Fuzzy Hash: 29fc03d927f4990f9deee4de2075054b0a23c521322f26a7bad3f614dc9c00b1
                                                  • Instruction Fuzzy Hash: A621B77A6052156AE311DB19FC41ACB77DCDFC52B0F06C42AF54886209E330E9878B91
                                                  Function 100084B0 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008505
                                                  • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000850C
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008539
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000854C
                                                  • #825.MFC42(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000859A
                                                  • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 100085BD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$CloseHandle$D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
                                                  • String ID:
                                                  • API String ID: 2070391518-0
                                                  • Opcode ID: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                  • Instruction ID: 37eccab93eae1f9570d16d686a1212c04e0715a42fba5b1868afdc0cba55ac79
                                                  • Opcode Fuzzy Hash: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                  • Instruction Fuzzy Hash: 1241ACB5600B058FD704CF68C881B96F7E4FF49750F004A2DE6AA87381EB70BA54CB81
                                                  Function 10009A60 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AAA
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ABB
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ACC
                                                  • #825.MFC42(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AF5
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B2A
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B3D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@Refcnt@?$basic_string@U?$char_traits@V?$allocator@$CloseHandle$#825
                                                  • String ID:
                                                  • API String ID: 3981934315-0
                                                  • Opcode ID: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                  • Instruction ID: 3f5e6c1ba8cdd1ffd5d3919399f724efa296fb395ea5f4111f29f1806b4e9a25
                                                  • Opcode Fuzzy Hash: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                  • Instruction Fuzzy Hash: A53182747006019FE744CF29C980996B7E9FF85790B14866DF95ACB795EB30EC40CBA0
                                                  Function 1002CC90 Relevance: 9.1, APIs: 6, Instructions: 88sleepthreadnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 1002CCCF
                                                    • Part of subcall function 1002CBD0: inet_addr.WS2_32(?), ref: 1002CBDA
                                                  • recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                  • CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                  • CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                  • Sleep.KERNEL32(000003E8), ref: 1002CD9D
                                                  • closesocket.WS2_32(00000000), ref: 1002CDB1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateHandleSleepThread_snprintfclosesocketinet_addrrecv
                                                  • String ID:
                                                  • API String ID: 1576220768-0
                                                  • Opcode ID: 3ed76afae63bd77b9469e330905fbf0bdfa967c9ef6ae64f5e6e6921360409aa
                                                  • Instruction ID: 3832f123820d6385e3406e7afcf7b674c9c479a295281de009cd65d3e655e3a2
                                                  • Opcode Fuzzy Hash: 3ed76afae63bd77b9469e330905fbf0bdfa967c9ef6ae64f5e6e6921360409aa
                                                  • Instruction Fuzzy Hash: B031EF78104345ABE310CF54DC80F9B7BE9FB85740F504A2DF698932A0D774E8068BA2
                                                  Function 1001A2D0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: malloc$Tablefree
                                                  • String ID:
                                                  • API String ID: 2903114640-0
                                                  • Opcode ID: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                  • Instruction ID: a9296b02b71586264760a7329d97d0c6985c525f31e5c152af02a019acfba51a
                                                  • Opcode Fuzzy Hash: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                  • Instruction Fuzzy Hash: 8C1144736022246BD315CA1EBC81BDFB3D8FBC1661F14052AF919CB240DB25EE8586E2
                                                  Function 1002BE50 Relevance: 9.1, APIs: 6, Instructions: 53processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                  • Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                  • _strcmpi.MSVCRT ref: 1002BEA7
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                  • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                  • CloseHandle.KERNEL32(00000000,?,75A78400), ref: 1002BED3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_strcmpi
                                                  • String ID:
                                                  • API String ID: 2975077063-0
                                                  • Opcode ID: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                  • Instruction ID: 6ed28245b0ed33383696f76e5f749c63f4d2afb73675a39276b596060f345c94
                                                  • Opcode Fuzzy Hash: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                  • Instruction Fuzzy Hash: 6F01B17A1016116EE750EB24EC80ADF73D9FB85361F854929FE5882280DB3CA91986B2
                                                  Function 10025120 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 49stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 1002516A
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?), ref: 10025196
                                                  • lstrlenA.KERNEL32(?), ref: 100251A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823lstrlen$AddressLibraryLoadProcwsprintf
                                                  • String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
                                                  • API String ID: 2676723305-3034822107
                                                  • Opcode ID: baf5d86b62d671801c95815e3b55f46d4e8893599376e585aedb32e0aa91ec7a
                                                  • Instruction ID: ba61bd0e818ea7689f25e54b001fbc97d65609e3c2525d4b6237f6703bdfaf44
                                                  • Opcode Fuzzy Hash: baf5d86b62d671801c95815e3b55f46d4e8893599376e585aedb32e0aa91ec7a
                                                  • Instruction Fuzzy Hash: BA0126B13002143FE7249224DC42FFB729AEFC8214F41483DFB05A7280DA79AD4586A6
                                                  Function 1002E1A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: getenvmallocsscanf
                                                  • String ID: %ld%c$JPEGMEM$x
                                                  • API String ID: 677315340-3402169052
                                                  • Opcode ID: 51bb1425e790fe1ab60bb88dbdaf94a56eb7f25a249e146d69bb9b0f443e83b3
                                                  • Instruction ID: 16afc6eec302963a620b85da9597a3469dd62724173291d8bf359396d7a2c7e7
                                                  • Opcode Fuzzy Hash: 51bb1425e790fe1ab60bb88dbdaf94a56eb7f25a249e146d69bb9b0f443e83b3
                                                  • Instruction Fuzzy Hash: 194159B04447868FD320CF19E880957FBF8FF55344B904A6EE19A8B651E776EA09CF81
                                                  Function 1000EC20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000EC48
                                                    • Part of subcall function 1000EBE0: GetVersionExA.KERNEL32 ref: 1000EBF3
                                                  • ShellExecuteExA.SHELL32(0000003C), ref: 1000ECE7
                                                  • ExitProcess.KERNEL32 ref: 1000ECF5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteExitFileModuleNameProcessShellVersion
                                                  • String ID: <$runas
                                                  • API String ID: 984616556-1187129395
                                                  • Opcode ID: 055419b18546cdcfc99590fdfe4538166d2722b1efe28abce20511eaa6e0436d
                                                  • Instruction ID: 58093e764983421ad01b0a1b6f67e19a22832b479dc2aa238072ac513714f8ba
                                                  • Opcode Fuzzy Hash: 055419b18546cdcfc99590fdfe4538166d2722b1efe28abce20511eaa6e0436d
                                                  • Instruction Fuzzy Hash: 0F21C3711087449FE314DB68C8147ABB7D5FBC8350F400A2DEB9A932D0DBB59A09CB96
                                                  Function 10009E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteExA.SHELL32 ref: 10009EC1
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009ED2
                                                  • CloseHandle.KERNEL32(?), ref: 10009EDD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                  • String ID: <$@
                                                  • API String ID: 3837156514-1426351568
                                                  • Opcode ID: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                  • Instruction ID: 4f3a71a7022bf43642dcc1f3ab8c414678e0bae02fb7ae8385496add38081c6f
                                                  • Opcode Fuzzy Hash: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                  • Instruction Fuzzy Hash: 86F08C715083409BE704CF28C848A5BBBE4BFC4350F084A2DF289972A0DBB6DA44CB96
                                                  Function 1001AC50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                  • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: RtlGetNtVersionNumbers$ntdll.dll
                                                  • API String ID: 145871493-1263206204
                                                  • Opcode ID: 857581cc62fec56c2f26b76b4231ac71bb60c14760a08416454a7540d47a608a
                                                  • Instruction ID: 28536382927b9ec4cc5e25e0414645f0cdf118533e543cb68ac6ecf7c94cc895
                                                  • Opcode Fuzzy Hash: 857581cc62fec56c2f26b76b4231ac71bb60c14760a08416454a7540d47a608a
                                                  • Instruction Fuzzy Hash: C3F0307A3016226BD3619B29DC8899B77A9EFC6710B154928F808D7240D738D846C6B1
                                                  Function 10010B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15librarysleeploaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                  • Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: KERNEL32.dll$WaitForSingleObject
                                                  • API String ID: 188063004-3889371928
                                                  • Opcode ID: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                  • Instruction ID: 2f25d5efcf6a9ea09ffc80339e96632aadd97f0a1fca395ea0de9424a810f75f
                                                  • Opcode Fuzzy Hash: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                  • Instruction Fuzzy Hash: 67D0C7790041256BEA2457A4AD4CDEA3654FB493317040744F525512D1CE609C40C770
                                                  Function 100069F0 Relevance: 7.6, APIs: 6, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                  • Instruction ID: c650882347852e35ffcbb4eb416d17d698f5a118f4f7130cf3c30c4ac611ed04
                                                  • Opcode Fuzzy Hash: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                  • Instruction Fuzzy Hash: E141D5B27003056FF704DF689C81B6777D9FB48395F24452AFA05DB686DB71E80487A0
                                                  Function 10029410 Relevance: 7.6, APIs: 5, Instructions: 98stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10005230: #823.MFC42 ref: 1000525B
                                                    • Part of subcall function 10005230: #823.MFC42(?), ref: 1000526A
                                                  • lstrlenA.KERNEL32(?), ref: 1002945B
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029478
                                                  • lstrlenA.KERNEL32(?), ref: 100294B8
                                                  • LocalSize.KERNEL32(00000000), ref: 100294FC
                                                  • LocalFree.KERNEL32(00000000), ref: 1002950E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$#823lstrlen$AllocFreeSize
                                                  • String ID:
                                                  • API String ID: 933119475-0
                                                  • Opcode ID: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                  • Instruction ID: baa6dfe5b62ae598e36d45df49c35083ba28316c69925bc8e8f86ac0ab45f9a0
                                                  • Opcode Fuzzy Hash: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                  • Instruction Fuzzy Hash: A331B0756083418FD310DF18C884B5BB7E0FB89750F940A1CF896A7390DB34E906CBA2
                                                  Function 100172E0 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                  • CloseHandle.KERNEL32(?), ref: 10017316
                                                  • #823.MFC42(00000110), ref: 1001733A
                                                  • #823.MFC42(00000110), ref: 1001736B
                                                    • Part of subcall function 10018A50: LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                  • #823.MFC42(00000110), ref: 10017392
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$CloseCursorHandleLoadObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 1032503192-0
                                                  • Opcode ID: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                  • Instruction ID: 5a9ae8d5125f4473acdfdc2c571faec41a6d57683b79152a5b2af942287cdb62
                                                  • Opcode Fuzzy Hash: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                  • Instruction Fuzzy Hash: 0E31A0746447419BE724CF348C06BCABAE1FF49700F000A2DF6AA9B2C1D7B1E684C792
                                                  Function 10019260 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDIBSection.GDI32(10019096,?,00000000,10019096,00000000,00000000), ref: 100192BE
                                                  • SelectObject.GDI32(?,00000000), ref: 100192CD
                                                  • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 100192EA
                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001930A
                                                  • DeleteObject.GDI32(?), ref: 10019332
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$CreateDeleteSectionSelect
                                                  • String ID:
                                                  • API String ID: 3188413882-0
                                                  • Opcode ID: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                  • Instruction ID: 171a801546ab23d17400ea9514ceaa77a6b5348b798b605dacd974edddfe344e
                                                  • Opcode Fuzzy Hash: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                  • Instruction Fuzzy Hash: C831D2B6200705AFD214DF59CC84E27F7AAFB88600F148A1EFA5987791C771F9008BA0
                                                  Function 100215E0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(?,?), ref: 10021631
                                                  • #825.MFC42(?), ref: 1002168E
                                                  • ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216A2
                                                  • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216C5
                                                  • #825.MFC42(00000000), ref: 100216D0
                                                    • Part of subcall function 10022900: #825.MFC42(?,?,1012C4D0,?,1002162E,?), ref: 10022922
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$Lockit@std@@$??0_??1_
                                                  • String ID:
                                                  • API String ID: 3320149174-0
                                                  • Opcode ID: 44884d60d9ebe940b958c19c5d6e14871c38c2eac28a656e2b76ce7b181ef5d9
                                                  • Instruction ID: d0047ffbaccaa5ad6d99a9ed72ec1d055d3ab89d0cdd8ff84e98db7356d77a2b
                                                  • Opcode Fuzzy Hash: 44884d60d9ebe940b958c19c5d6e14871c38c2eac28a656e2b76ce7b181ef5d9
                                                  • Instruction Fuzzy Hash: 2531AEB96007559FC710DFA8E8C485EB3E9FB9875079A481DE85AC3A00EB34FD448B92
                                                  Function 10012B00 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InternetOpen
                                                  • String ID: y$y
                                                  • API String ID: 2038078732-2085659379
                                                  • Opcode ID: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                  • Instruction ID: b3f128dd8a4f2f937591d2b39a566a4fd65ce5111e4adbe3f1b9da6999f925d3
                                                  • Opcode Fuzzy Hash: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                  • Instruction Fuzzy Hash: F0212C796082145BD200DB68BC95AAF77D9EBC4610F440439FD49D7341DBB5EA0982E7
                                                  Function 10011A20 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #6662.MFC42(0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3,00000000,00000000,00000000), ref: 10011A82
                                                  • #4278.MFC42(1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3), ref: 10011A9E
                                                  • #6883.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AB2
                                                  • #800.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AC3
                                                  • #6662.MFC42(0000005C,00000001,?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798), ref: 10011AD0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #6662$#4278#6883#800
                                                  • String ID:
                                                  • API String ID: 2113711092-0
                                                  • Opcode ID: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                  • Instruction ID: f4fe6630835c94391bfcc8c2be099bdb1318b56aaed041f5013be16c963cdde2
                                                  • Opcode Fuzzy Hash: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                  • Instruction Fuzzy Hash: A611F0363016159BDB18DE29DC45BAEBB95EF846B0F81072CF82A8B2C0DA34EC458691
                                                  Function 10009540 Relevance: 7.6, APIs: 5, Instructions: 66memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,?,00000001,00000000,?,?,00000065,1000878E,00000001,00000001,?,00000001,00000001,00000001), ref: 1000956E
                                                  • LocalAlloc.KERNEL32(00000040,00019000,?,?,00000065,1000878E), ref: 10009583
                                                  • ReadFile.KERNEL32(?,00000009,00018FF7,?,00000000,?,?,00000065,1000878E), ref: 100095B0
                                                  • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095CD
                                                  • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095E7
                                                    • Part of subcall function 10009600: CloseHandle.KERNEL32(?,00000000,100095E2,?,?,00000065,1000878E), ref: 1000960F
                                                    • Part of subcall function 10009600: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000001,00000000,100095E2,?,?,00000065,1000878E), ref: 1000963C
                                                    • Part of subcall function 10009600: #825.MFC42(00000001,?,?,00000065,1000878E), ref: 10009643
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$FileFree$#825AllocCloseD@2@@std@@D@std@@HandlePointerReadTidy@?$basic_string@U?$char_traits@V?$allocator@
                                                  • String ID:
                                                  • API String ID: 1358099757-0
                                                  • Opcode ID: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                  • Instruction ID: c1002f4ed646788d97939a754a35c43ee484aff7721c1be338d8eb9f0dbbf468
                                                  • Opcode Fuzzy Hash: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                  • Instruction Fuzzy Hash: 911172B63007029BE310CF69DC84B97B7E9FB88361F148A29F655C7281C730E815CB65
                                                  Function 10016C50 Relevance: 7.6, APIs: 5, Instructions: 63windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10010B70: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                    • Part of subcall function 10010B70: GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                    • Part of subcall function 10010B70: Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                    • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000076), ref: 10016FE0
                                                    • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000075), ref: 10016FF3
                                                  • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 10016CA5
                                                  • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 10016CB8
                                                  • Sleep.KERNEL32(000000C8), ref: 10016CF5
                                                    • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                    • Part of subcall function 10016640: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                    • Part of subcall function 10016640: CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                    • Part of subcall function 10016640: #823.MFC42(000001F0), ref: 100166B0
                                                    • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                  • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10016CD4
                                                  • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 10016CE7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CapsDeviceExchangeInfoInterlockedMessageParametersSendSleepSystem$#823AddressCloseHandleLibraryLoadObjectProcSingleWait
                                                  • String ID:
                                                  • API String ID: 2254935227-0
                                                  • Opcode ID: 9506a06792d0069b6a6458655b0cf65f29beff7c4f91902517e3ce6a3822e8cd
                                                  • Instruction ID: d507dce4c51d5113e1dde7e79a99317680dafb16c6daa1e476697c3642f9f1bd
                                                  • Opcode Fuzzy Hash: 9506a06792d0069b6a6458655b0cf65f29beff7c4f91902517e3ce6a3822e8cd
                                                  • Instruction Fuzzy Hash: F811E13438431969F960EB244C42FAA7786DF89B50F20013ABB49AF2D3C9F0F884D568
                                                  Function 10022440 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(00000018,?,?,?,?,100215C5,100215A5,?,?,100215A5), ref: 1002245E
                                                  • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 10022478
                                                  • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 100224AA
                                                  • #825.MFC42(00000000,?,?,?,?,?,100215A5), ref: 100224B5
                                                  • #823.MFC42(00000018,?,?,?,?,?,100215A5), ref: 100224C5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823Lockit@std@@$#825??0_??1_
                                                  • String ID:
                                                  • API String ID: 2469163743-0
                                                  • Opcode ID: 5983a31d6c0b2385020132a838b852cedda4d359ec4bf03b4e395dbc7ee0bfcc
                                                  • Instruction ID: b06e2967b2ca456887b4d405c0e424707d268abfb114cbb194693c0cad6d653d
                                                  • Opcode Fuzzy Hash: 5983a31d6c0b2385020132a838b852cedda4d359ec4bf03b4e395dbc7ee0bfcc
                                                  • Instruction Fuzzy Hash: 7511BCB1504385AFC300DF99E8C0856FBE5FF68300B65806EE589C7B22D774B889CB92
                                                  Function 10024A90 Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                  • lstrcpyW.KERNEL32(?,00000000,00000000), ref: 10024AD4
                                                  • WTSFreeMemory.WTSAPI32(?), ref: 10024ADF
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000200,?,000000FF,00000000,00000104,00000000,00000000,?), ref: 10024B18
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 10024B2B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$ByteCharFreeInformationMemoryMultiQuerySessionWide
                                                  • String ID:
                                                  • API String ID: 2394411120-0
                                                  • Opcode ID: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                  • Instruction ID: 955f71c2f156101e58c3954c60e55afc292817027518ed639cbb0e0337d6e5ae
                                                  • Opcode Fuzzy Hash: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                  • Instruction Fuzzy Hash: C61165751183417BE310CB58CC45FEB73E8BBC8B10F044A1CF659962C0E674A5088B62
                                                  Function 1001A380 Relevance: 7.6, APIs: 5, Instructions: 52filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: fgets$fclosefopenstrncpy
                                                  • String ID:
                                                  • API String ID: 2591305919-0
                                                  • Opcode ID: a718de1b11d99e9b2c0f780aac57e273de9cb2023d6a72551b98dfecfbdeb29f
                                                  • Instruction ID: c7a0ab83454999cfab7ee9e724b1213e8b3a12304a834880fe6d6711e96d4ced
                                                  • Opcode Fuzzy Hash: a718de1b11d99e9b2c0f780aac57e273de9cb2023d6a72551b98dfecfbdeb29f
                                                  • Instruction Fuzzy Hash: DD01DF726002256BE301D728AD81BDB37DCEF88315F950424F98896244EB79EA9486A2
                                                  Function 10011980 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #858.MFC42(-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119AB
                                                  • #6874.MFC42(0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119B4
                                                  • #6874.MFC42(0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119C5
                                                  • #6874.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119D6
                                                  • #800.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #6874$#800#858
                                                  • String ID:
                                                  • API String ID: 833685189-0
                                                  • Opcode ID: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                  • Instruction ID: 01b43e94da0ea2eb4e39674b02d587f3c921b09ce4ba7a4e708dea5c2d38b77a
                                                  • Opcode Fuzzy Hash: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                  • Instruction Fuzzy Hash: A401F471208B82AAC704CF54EA15F9AFBD5EB90B60F00063EF0A5476D1DB74E9088392
                                                  Function 1001FEE0 Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,00000000,1001FB22,1011EC82,?,?,?,?,?,?,?,?), ref: 1001FEE7
                                                  • OpenServiceA.ADVAPI32(00000000,?,00020000,?,?,?,?,?,?,?,?), ref: 1001FF00
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 1001FF0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: OpenService$CloseHandleManager
                                                  • String ID:
                                                  • API String ID: 4136619037-0
                                                  • Opcode ID: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                  • Instruction ID: efb21d9ce1343172679c2ebe97ca72b077adbb798532605da40d3010ccc8a93c
                                                  • Opcode Fuzzy Hash: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                  • Instruction Fuzzy Hash: 30E09236219231A7E2217729BC88FDB67A8EFD9791F0B0156F608DA190C6A0D88245E8
                                                  Function 10027260 Relevance: 7.5, APIs: 5, Instructions: 31serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,10028552), ref: 10027267
                                                  • OpenServiceA.ADVAPI32(00000000,?,00010010,?,00000065), ref: 10027280
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000065), ref: 10027297
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 1002729E
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 100272A1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandleOpen$ManagerStart
                                                  • String ID:
                                                  • API String ID: 1485051382-0
                                                  • Opcode ID: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                  • Instruction ID: a991dfd3618a091cf8bced06e1e14c92db115e9186b32fce010f6c8dd9d2edbc
                                                  • Opcode Fuzzy Hash: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                  • Instruction Fuzzy Hash: 1AE09B35256621BBF22167149CC5FAB2678FB8DBD0F150205F608961C0CB609C0141AD
                                                  Function 10004F20 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                  • CancelIo.KERNEL32(?), ref: 10004F57
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                  • closesocket.WS2_32(?), ref: 10004F73
                                                  • SetEvent.KERNEL32(?), ref: 10004F80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                  • String ID:
                                                  • API String ID: 1486965892-0
                                                  • Opcode ID: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                  • Instruction ID: 7b5b089ba35ea6fa801320ef26441ee9f6e0eb5430616a3962164302b2279ec7
                                                  • Opcode Fuzzy Hash: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                  • Instruction Fuzzy Hash: 81F01275214711AFE6248F64CC88FD777A8BF45711F108B1DF6AE462D0CB70A4488755
                                                  Function 10005B80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$WideCharToMultiByte
                                                  • API String ID: 2574300362-2634761684
                                                  • Opcode ID: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                  • Instruction ID: 11a70ebfe6614348c4627575f714f8bac5bc37e03cfb6a5d127c6c7937c6bce2
                                                  • Opcode Fuzzy Hash: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                  • Instruction Fuzzy Hash: 2541257250421A8FDB18CE2CC8549AFBBD5FBC4354F154A2DF9A6D3280DA70AD0ACB91
                                                  Function 100108B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100108E8
                                                  • Sleep.KERNEL32(000004D2), ref: 1001098C
                                                    • Part of subcall function 10010790: CloseHandle.KERNEL32(00000000), ref: 10010893
                                                  • DeleteFileA.KERNEL32(?), ref: 1001094D
                                                    • Part of subcall function 10010790: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100107C2
                                                    • Part of subcall function 10010790: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10010837
                                                    • Part of subcall function 10010790: GetFileSize.KERNEL32(00000000,00000000), ref: 10010846
                                                    • Part of subcall function 10010790: #823.MFC42(00000000), ref: 1001084F
                                                    • Part of subcall function 10010790: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10010862
                                                    • Part of subcall function 10010790: #825.MFC42(00000000), ref: 1001088A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$DirectorySystem$#823#825CloseCreateDeleteHandleReadSizeSleep
                                                  • String ID: .key
                                                  • API String ID: 3115437274-343438762
                                                  • Opcode ID: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                  • Instruction ID: 6c8f07c80318120aef5ae7d44ab656afb01d193eb1c0889538d79381634ba695
                                                  • Opcode Fuzzy Hash: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                  • Instruction Fuzzy Hash: 1E210775B046540BE719D634889076A7BC5FBC1330F58031AF6978B2C2CEF898888755
                                                  Function 10007850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32 ref: 10007877
                                                  • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100078ED
                                                  • CloseHandle.KERNEL32(00000000), ref: 10007917
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFileFolderHandlePathSpecial
                                                  • String ID: p
                                                  • API String ID: 3113538180-2181537457
                                                  • Opcode ID: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                  • Instruction ID: fb9301c769810b0d049b01ddbf7940714647d0c15556b6550ef7852ede3c4a13
                                                  • Opcode Fuzzy Hash: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                  • Instruction Fuzzy Hash: CB210A716006041FE718CA389C46BEB76C5FBC4330F588B2DF96ACB2D1DAF489098750
                                                  Function 10001410 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutWrite), ref: 1000141E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001425
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: WINMM.dll$waveOutWrite
                                                  • API String ID: 2574300362-665518901
                                                  • Opcode ID: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                  • Instruction ID: 94ba89aa586d5954ea77ca1480e0960dd09743874461cbc46f4ab6b518109010
                                                  • Opcode Fuzzy Hash: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                  • Instruction Fuzzy Hash: C211A0762043048FEB08DF68D8C89A6BBE5FB88380B15855DFE468B346DB71EC01DB20
                                                  Function 10009D80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,00000065,?,00000001,00000001,00000001), ref: 10009DAA
                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000065,?,00000001,00000001,00000001), ref: 10009DC6
                                                  • SetFilePointer.KERNEL32 ref: 10009DE4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Pointer$Write
                                                  • String ID: p
                                                  • API String ID: 3847668363-2181537457
                                                  • Opcode ID: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                  • Instruction ID: 1a9338856e1de5b0d7c3f8fb7aa3c1ae0f192f66fa92f10234f7d2b8d6558fe2
                                                  • Opcode Fuzzy Hash: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                  • Instruction Fuzzy Hash: 811127B5608341ABE210DB28CC85F9BB7E9FBD8714F108A0CF99893280D674A9058BA1
                                                  Function 100048B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10001B80: InitializeCriticalSection.KERNEL32(00000001,?,100048DA,00000000), ref: 10001B98
                                                  • WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateCriticalEventInitializeSectionStartup
                                                  • String ID: a$m
                                                  • API String ID: 1327880603-1958708294
                                                  • Opcode ID: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                  • Instruction ID: fb24ae0377e714457c16f4a52ba150758387226036423692d2cdc97d3624b5ca
                                                  • Opcode Fuzzy Hash: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                  • Instruction Fuzzy Hash: 87118B741087809EE321DB28C856BD6BBE4BF19B50F048A5DE4EE472C1DBB96008CB23
                                                  Function 100251B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(00000014,0036EE80,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BA4,?), ref: 100251B7
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 100251DB
                                                  • wsprintfA.USER32 ref: 10025201
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823GlobalMemoryStatuswsprintf
                                                  • String ID: @
                                                  • API String ID: 1983843647-2766056989
                                                  • Opcode ID: 3082bb6caa32cd3bc4c4fd3183e1c4d8d191cb53460fc1ec533a8aa7772a160b
                                                  • Instruction ID: f3586ce1f315d8e5200afad839a6d53935e391c3c3fd0bac21ad37102c1b694d
                                                  • Opcode Fuzzy Hash: 3082bb6caa32cd3bc4c4fd3183e1c4d8d191cb53460fc1ec533a8aa7772a160b
                                                  • Instruction Fuzzy Hash: CFF082B96002106FE3109B18DC45B9B76D5FBC4340F444839F94997351E634A91846A7
                                                  Function 10025D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(00000014,76320450,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BC0,00000000), ref: 10025D57
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 10025D7B
                                                  • wsprintfA.USER32 ref: 10025DA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823GlobalMemoryStatuswsprintf
                                                  • String ID: @
                                                  • API String ID: 1983843647-2766056989
                                                  • Opcode ID: 2c1426b844ec4890cecffe6c6ea2bd548501e2367dd710cd45ab98b25f812d44
                                                  • Instruction ID: 68db8f0e8b07156b776b32dc094ec4f6989ccbd81b51ca364bbff1441fbe924d
                                                  • Opcode Fuzzy Hash: 2c1426b844ec4890cecffe6c6ea2bd548501e2367dd710cd45ab98b25f812d44
                                                  • Instruction Fuzzy Hash: 81F0A7B96002106FE310DB1CDC45B9B7AD5FBC4350F448839F94997361E534E91846E7
                                                  Function 1002C580 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 1002C581
                                                  • GetThreadDesktop.USER32(00000000,?,100175AC), ref: 1002C588
                                                    • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                    • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                  • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 1002C5B4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$AddressCurrentDesktopLibraryLoadMessagePostProc
                                                  • String ID: Winlogon
                                                  • API String ID: 133172028-744610081
                                                  • Opcode ID: 242db8ab55aa662cddecfec2b8c871fd48c62965e161710e4222ca4a2be0b19c
                                                  • Instruction ID: e93cc812523cb44e295c7d064e00c4424adc5c629e52797c15fbe6cd81990dd9
                                                  • Opcode Fuzzy Hash: 242db8ab55aa662cddecfec2b8c871fd48c62965e161710e4222ca4a2be0b19c
                                                  • Instruction Fuzzy Hash: D6E0CD77E41A7417FA6167B87D4AFEE32089F11B40F850270F509A9582D654FFC142D1
                                                  Function 100109B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CreateEventA$KERNEL32.dll
                                                  • API String ID: 2574300362-2476775342
                                                  • Opcode ID: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                  • Instruction ID: 81657b418f3b05921348bdbd49973478ffcbca97394684bddc953fa459c75907
                                                  • Opcode Fuzzy Hash: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                  • Instruction Fuzzy Hash: 6CE08C756403206BE360DFA89C49F867A98EF48701F04881EF349E7281CAB0A840CB68
                                                  Function 10010A10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CloseHandle,00000000,1000F45B,00000000,00000000,1001DDE5), ref: 10010A23
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10010A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CloseHandle$KERNEL32.dll
                                                  • API String ID: 2574300362-2295661983
                                                  • Opcode ID: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                  • Instruction ID: cf30f3b007e41bfee70c41d9c59be6cb1b231e04fc18b526b816a338234f57c5
                                                  • Opcode Fuzzy Hash: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                  • Instruction Fuzzy Hash: F9C012B94112215FD724EFA4EC4C8D63A58FF44301348494DF55993211CF745840CBA0
                                                  Function 1002C040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 1002C05A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C061
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$lstrlenA
                                                  • API String ID: 2574300362-1796993502
                                                  • Opcode ID: edc774852e8e3706412007467209bf43f6aea4114b0a715b5a73b4a8eec03814
                                                  • Instruction ID: 67c29b826fcb9cbe513ae8f82be5c437f769f953f774e74eedc1823db7db72f9
                                                  • Opcode Fuzzy Hash: edc774852e8e3706412007467209bf43f6aea4114b0a715b5a73b4a8eec03814
                                                  • Instruction Fuzzy Hash: 8BC092F8401228AFDB20AFA4DCCCE8D3A68FB4534A3A84584FA15A1624DB381080AA64
                                                  Function 10003A30 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $u%04x
                                                  • API String ID: 0-2846719512
                                                  • Opcode ID: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                  • Instruction ID: 926f1c216a8361e60bc3445ae8a78ded31acc7b6cea92631c0d95b6b2ff4fbf9
                                                  • Opcode Fuzzy Hash: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                  • Instruction Fuzzy Hash: A8615D616083C64FF713CE289C4075BBBD9EF962D4F28C46DE9C6C724AE761854A8352
                                                  Function 10012190 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                  • #823.MFC42(00000000,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121F6
                                                    • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123A6
                                                    • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123B3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #540$#823#825
                                                  • String ID:
                                                  • API String ID: 3261958014-0
                                                  • Opcode ID: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                  • Instruction ID: a9c2cb30c09e7b4867e33a31c74d4a8efcae7c34899988356dee3da11abaa517
                                                  • Opcode Fuzzy Hash: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                  • Instruction Fuzzy Hash: E041C4F6B002049BDB04CF58D88452AF795EFD4260B19C56EED09DF346DA32ECA5C7A0
                                                  Function 10016150 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10016211
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 10016221
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 100161BC
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(?), ref: 100162A9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: aa64b701f648c89d4f83c9e67f152ad506cafdbe2fab3da718c306b810bf8497
                                                  • Instruction ID: c39e680ff1ef35157a3273b848cd51e689ee12381512b3bd9965d3c22ffeac44
                                                  • Opcode Fuzzy Hash: aa64b701f648c89d4f83c9e67f152ad506cafdbe2fab3da718c306b810bf8497
                                                  • Instruction Fuzzy Hash: 6141F375604A498BC708DF28DC91A6FB3D6FFC8610F98052CF9169B341DB36E949C792
                                                  Function 10015DF0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10015EB1
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015EC1
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015E5C
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(?), ref: 10015F49
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: 4ae3ca370cfda8762aa8d13eabc5d5ff90e0b2bde75b508d9fa136ebdcbf54e3
                                                  • Instruction ID: 2efc35274b5ba7278b038ebc5a3111e863889b82502acd3cbbaa6e4a2c2e9c7a
                                                  • Opcode Fuzzy Hash: 4ae3ca370cfda8762aa8d13eabc5d5ff90e0b2bde75b508d9fa136ebdcbf54e3
                                                  • Instruction Fuzzy Hash: 0E410275604645CBC708DE28C891A6BB3D6FBC8611F88052CF9568F341EB36EA49C793
                                                  Function 10015C20 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10015CE3
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015CF7
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015C88
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(00000000), ref: 10015D76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: 700a397ec51c5c2ed7ecb5a4c3658066741b272a4fb707a3ed6d65b6fcbd4b57
                                                  • Instruction ID: 22f7ffdec03bb76be5668379c17d5a3ef63f933eeaa720f834c9e29fb4dd8e5d
                                                  • Opcode Fuzzy Hash: 700a397ec51c5c2ed7ecb5a4c3658066741b272a4fb707a3ed6d65b6fcbd4b57
                                                  • Instruction Fuzzy Hash: A541FD35608645DFC708DE28D89166FB3E6FBC8610F88052CF9469B351DB32E989CB92
                                                  Function 10002820 Relevance: 6.1, APIs: 4, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$strstr
                                                  • String ID:
                                                  • API String ID: 3700887599-0
                                                  • Opcode ID: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                  • Instruction ID: e7a3bb7836f99c4b21098aa8e2ae082227a5993f95023b9609139f1e4e40139e
                                                  • Opcode Fuzzy Hash: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                  • Instruction Fuzzy Hash: 1721AD3A2105180B871CC97DAC1152B7AC2FBC9631B6A432EFA2BC7BD1DEA5DD058380
                                                  Function 10006D50 Relevance: 6.1, APIs: 4, Instructions: 106libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006D7E
                                                  • LoadLibraryA.KERNEL32(?), ref: 10006D9A
                                                    • Part of subcall function 100069B0: GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                    • Part of subcall function 100069B0: HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 10006E08
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006E2F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HeapRead$AddressAllocLibraryLoadProcProcess
                                                  • String ID:
                                                  • API String ID: 2932169029-0
                                                  • Opcode ID: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                  • Instruction ID: 24d0788afd7e564c21ce07679b2cd919d25d482a3edf121e110520330544f2d5
                                                  • Opcode Fuzzy Hash: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                  • Instruction Fuzzy Hash: 2C317E76B007069FE310CF29CC80A56B7E9FF493A4B26462AE919C7255EB31E815CB90
                                                  Function 10001D50 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ceil.MSVCRT ref: 10001D8C
                                                  • _ftol.MSVCRT ref: 10001D95
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,1001B646,?,000003C0), ref: 10001DA9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual_ftolceil
                                                  • String ID:
                                                  • API String ID: 3317677364-0
                                                  • Opcode ID: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                  • Instruction ID: 80e73f680275ecb85cea3faadb907318f444ef36128b6434ffe1c43a84600ab4
                                                  • Opcode Fuzzy Hash: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                  • Instruction Fuzzy Hash: 9911E4757083009BE704DF28EC8275ABBE4FBC03A1F04853EFD498B395DA75A809CA65
                                                  Function 10001E20 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _ftolceil
                                                  • String ID:
                                                  • API String ID: 2006273141-0
                                                  • Opcode ID: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                  • Instruction ID: 62e5b31a19e4efc706719f2d7f8223bc0b5f5341a1f9df7ec71081677a67e64d
                                                  • Opcode Fuzzy Hash: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                  • Instruction Fuzzy Hash: 2911A2756483049BE704EF28EC8676FBBE1FB84791F04853DF9498B344DA36A818C666
                                                  Function 10015A40 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalSize.KERNEL32(00000000), ref: 10015AAE
                                                  • LocalFree.KERNEL32(00000000), ref: 10015ABA
                                                  • LocalSize.KERNEL32(00000000), ref: 10015AD5
                                                  • LocalFree.KERNEL32(00000000), ref: 10015AE1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$FreeSize
                                                  • String ID:
                                                  • API String ID: 2726095061-0
                                                  • Opcode ID: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                  • Instruction ID: 9d4eaa0da794f1e2b3889d11efc9f421fde940f342979db69ca44634e0eb0258
                                                  • Opcode Fuzzy Hash: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                  • Instruction Fuzzy Hash: 2E11EEB9204654DBC221DB14CC91BBFB3D8FF85251F880629F9915F281DF39EC8586AA
                                                  Function 10006F00 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,00000000,00000000,?,10006B17,00000000), ref: 10006F50
                                                  • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,10006B17,00000000), ref: 10006F77
                                                  • GetProcessHeap.KERNEL32(00000000,10006B17,?,10006B17,00000000), ref: 10006F80
                                                  • HeapFree.KERNEL32(00000000), ref: 10006F87
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Free$Heap$LibraryProcessVirtual
                                                  • String ID:
                                                  • API String ID: 548792435-0
                                                  • Opcode ID: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                  • Instruction ID: eb7fda223cfc753f1fed3d2c8a6d49319030a12fba69635afc4c9d01848446bd
                                                  • Opcode Fuzzy Hash: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                  • Instruction Fuzzy Hash: E8112A756007129BE720CF69DC84F57B3E9BF48790F154A28F56AD7694DB30F8418B60
                                                  Function 10025220 Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mbstowcs.MSVCRT ref: 10025257
                                                  • NetUserSetInfo.NETAPI32(00000000,?,000003F0,?,00000000,?,?,?), ref: 1002528E
                                                  • Sleep.KERNEL32(00000064,00000000,?,000003F0,?,00000000,?,?,?), ref: 100252B2
                                                    • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                    • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                  • LocalFree.KERNEL32(?,?,?,?), ref: 100252C4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$Free$InfoSizeSleepUsermbstowcs
                                                  • String ID:
                                                  • API String ID: 2733533-0
                                                  • Opcode ID: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                  • Instruction ID: 15c901b137dd358fda9146c8f6f94cc6f523190a05e50031364fc71d2f867a2a
                                                  • Opcode Fuzzy Hash: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                  • Instruction Fuzzy Hash: 02110835218301ABE714CB28DC85FDB77D9AFD8705F044A2DF585822D1EBB4E54C8693
                                                  Function 100049A0 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                  • CloseHandle.KERNEL32(?), ref: 100049FF
                                                  • CloseHandle.KERNEL32(?), ref: 10004A08
                                                  • WSACleanup.WS2_32 ref: 10004A0A
                                                    • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                    • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                    • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                    • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                    • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                                                  • String ID:
                                                  • API String ID: 136543108-0
                                                  • Opcode ID: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                  • Instruction ID: af8d02120cf7308e6d709f2e7e2ecce89aa86b165303e1ddd931105c7dc64684
                                                  • Opcode Fuzzy Hash: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                  • Instruction Fuzzy Hash: B811BF79008B41DFD324DF28C844B9AB7E8EF85620F044B1CF0AA432D1DBB864098B63
                                                  Function 10011E20 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                  • #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                  • #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                  • #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #535#537#800#940
                                                  • String ID:
                                                  • API String ID: 1382806170-0
                                                  • Opcode ID: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                  • Instruction ID: 1b94c52f3496be9ecc741279a921140b636ff9e4308d57c3df3fe77fcebb6b55
                                                  • Opcode Fuzzy Hash: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                  • Instruction Fuzzy Hash: E2018B7550C7429FD304DF18C850B9BBBE1EB95764F408A0DF895872A2DB74E84A8B92
                                                  Function 100115C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #536#537#800#922
                                                  • String ID:
                                                  • API String ID: 1475696894-0
                                                  • Opcode ID: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                  • Instruction ID: 1cf16686c75a57ace72aecc56e9772a672cb7b67628aacae2db0a16f8193c9c6
                                                  • Opcode Fuzzy Hash: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                  • Instruction Fuzzy Hash: 2301B5B6204650AFC304DF58DD01F9AF7E4FB88B14F408A2DF98997781C779A904CB92
                                                  Function 1002CB60 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 1002CB6A
                                                  • htons.WS2_32 ref: 1002CB92
                                                  • connect.WS2_32(00000000,?,00000010), ref: 1002CBA5
                                                  • closesocket.WS2_32(00000000), ref: 1002CBB1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: closesocketconnecthtonssocket
                                                  • String ID:
                                                  • API String ID: 3817148366-0
                                                  • Opcode ID: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                  • Instruction ID: e8f6fcb377fdd042e502e5b9bb1bca880f3579ad8180536aff2f54e253c3389a
                                                  • Opcode Fuzzy Hash: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                  • Instruction Fuzzy Hash: E0F0F6385143306BE700EB7C9C8AADBB7E4FF84324F844B49F9A8822E1E27084045786
                                                  Function 1002C320 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?), ref: 1002C33C
                                                  • #823.MFC42(00000100,75921760,00000000,000000FF,00000005,?,?), ref: 1002C34B
                                                  • lstrcpyA.KERNEL32(00000000,?,?), ref: 1002C35B
                                                  • WTSFreeMemory.WTSAPI32(?), ref: 1002C366
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823FreeInformationMemoryQuerySessionlstrcpy
                                                  • String ID:
                                                  • API String ID: 3008764780-0
                                                  • Opcode ID: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                  • Instruction ID: 0e0dc6ce2e22f62c944f194f199933a30fb1a1041a33420a8a3a97c55cf99f31
                                                  • Opcode Fuzzy Hash: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                  • Instruction Fuzzy Hash: F9F0A7B96083116BDB00DB78AC46D9B76E4EB84A11F444A2CF948D2280F574ED08C7F2
                                                  Function 1000B570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32First.KERNEL32(?,00000128), ref: 1000B5B7
                                                  • Process32Next.KERNEL32(?,00000128), ref: 1000B5D5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$FirstNext
                                                  • String ID: ???
                                                  • API String ID: 1173892470-1053719742
                                                  • Opcode ID: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                  • Instruction ID: f3f52207799e89cd2a562506939f2cbbbb926e58e4282d7ba594e292c06b3d7f
                                                  • Opcode Fuzzy Hash: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                  • Instruction Fuzzy Hash: CE010432205A040BD728D9399C419AFB7D6EFC43A0F91462DF826C32C4DF78DE08C691
                                                  Function 1000D870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000D897
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • Sleep.KERNEL32(000003E8), ref: 1000D8A9
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                    • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                    • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                    • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                  • String ID: chrome.exe
                                                  • API String ID: 294463573-2619149582
                                                  • Opcode ID: 413f5fac699760af77317ec5e9624fd3d42d91d95b11ee00c734fac729361dcc
                                                  • Instruction ID: e8cfcc91c9c3e5e852571cccd77955ef4875b4b34182dd60292e79469f439210
                                                  • Opcode Fuzzy Hash: 413f5fac699760af77317ec5e9624fd3d42d91d95b11ee00c734fac729361dcc
                                                  • Instruction Fuzzy Hash: 5F117FB80086C19FE324DB64D951BDFB7E0EB95750F404A2DE8A9432C1DF342504CBA3
                                                  Function 1000D970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000D997
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • Sleep.KERNEL32(000003E8), ref: 1000D9A9
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                    • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                    • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                    • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                  • String ID: chrome.exe
                                                  • API String ID: 294463573-2619149582
                                                  • Opcode ID: 834e8d7f9cad2c839f45d9171e9358a02ce01b8385012bf2e1b9649d4ff1e002
                                                  • Instruction ID: f982f30193c1ad135014148bd7e42fe507ed22380a7cef9b94e46ee28a1a2cc4
                                                  • Opcode Fuzzy Hash: 834e8d7f9cad2c839f45d9171e9358a02ce01b8385012bf2e1b9649d4ff1e002
                                                  • Instruction Fuzzy Hash: 20117F785086C09BE324DB64DA51BDFB7E0EB95750F404A2DE8A9432C1DF382604CBA3
                                                  Function 10024660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002CDD0: Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                    • Part of subcall function 1002CDD0: wsprintfA.USER32 ref: 1002CE0C
                                                    • Part of subcall function 1002CDD0: closesocket.WS2_32(00000000), ref: 1002CE24
                                                    • Part of subcall function 1002CDD0: TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                    • Part of subcall function 1002CDD0: CloseHandle.KERNEL32(1012E204), ref: 1002CE63
                                                  • gethostbyname.WS2_32(1012B958), ref: 10024678
                                                  • inet_ntoa.WS2_32(?), ref: 1002469B
                                                    • Part of subcall function 1002CC90: _snprintf.MSVCRT ref: 1002CCCF
                                                    • Part of subcall function 1002CC90: recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                    • Part of subcall function 1002CC90: CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                    • Part of subcall function 1002CC90: CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                    • Part of subcall function 1002CC90: closesocket.WS2_32(00000000), ref: 1002CDB1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleThreadclosesocket$CreateSleepTerminate_snprintfgethostbynameinet_ntoarecvwsprintf
                                                  • String ID: 127.0.0.1
                                                  • API String ID: 4129115345-3619153832
                                                  • Opcode ID: 4cd9c32e3d450962063fce265e8c3a30ff2eecc2af5e5d8994ec816568a30d23
                                                  • Instruction ID: d83c675e81e86afd25465515131b9e62cf78bbad0e82c00f8af347e2803ba3d5
                                                  • Opcode Fuzzy Hash: 4cd9c32e3d450962063fce265e8c3a30ff2eecc2af5e5d8994ec816568a30d23
                                                  • Instruction Fuzzy Hash: 02E0ED7A2106119BC614DBA8E884DEB77E6FBDC720B04855DF94AD7211C6347841D761
                                                  Function 10001C80 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001C8E
                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001CA4
                                                  • memmove.MSVCRT(?,?,00000000,?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000), ref: 10001CF5
                                                  • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001D1B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$Leave$Entermemmove
                                                  • String ID:
                                                  • API String ID: 72348100-0
                                                  • Opcode ID: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                  • Instruction ID: 50b30369da4871338d3e5076dbae6429fca2f6132d25b88ab6d76ff2db9ab769
                                                  • Opcode Fuzzy Hash: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                  • Instruction Fuzzy Hash: AE11BF3A3042154FAB08EF749C858EFB799FF94290704452EF907CB346DB71ED0886A0
                                                  Function 100089EE Relevance: 5.0, APIs: 4, Instructions: 50stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 3289936468-0
                                                  • Opcode ID: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                  • Instruction ID: e5bcf6fcaf6474cf11c06b2f5d739369e89de0018cd217908e7742b1c919ccc1
                                                  • Opcode Fuzzy Hash: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                  • Instruction Fuzzy Hash: DB0180B5C04665AFE711DF188C44BEABFE8FB0AAA0F040656E995A3645C7345E028BE1
                                                  Function 100069B0 Relevance: 5.0, APIs: 4, Instructions: 18memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                  • HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 100069D5
                                                  • HeapAlloc.KERNEL32(00000000), ref: 100069DC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4538219453.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4538197817.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538293107.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538410993.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538448636.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538480159.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4538516941.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                  • Instruction ID: 47877cb6062bd81062e19e0104322f8483190e017e00c23344b6b727d1ead73d
                                                  • Opcode Fuzzy Hash: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                  • Instruction Fuzzy Hash: B6D04C75604212ABFE449BA8CD8DFAA7BADFB84745F058948F54DCA094C6709840DB31